An XSS story from my own blog

Original link:


I received a few reminders this evening, and I opened it and saw that someone was testing XSS in the comment area of ​​my blog:


Originally this kind of testing is commonplace, and this person failed to find XSS, I mostly closed the page before it was released.

But tonight I didn’t know why, so I took a look at the code I wrote and found an XSS vulnerability by myself:


what is the reason?

0x01 Introduction to Development History

When I was developing this reply button, for convenience, I directly used the JavaScript pseudo-protocol to call the reply_to function, such as:



This article is reprinted from:
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment

Your email address will not be published.