I use vue-toasted when inject js code ex. "><img src=1 onerror=prompt(document.cookie);>
in input and click submit.
Notification show like that: and popup show with cookie :/ .
and console.log(response.data.message);
show:
Created Site ""><img src=1 onerror=prompt(document.cookie);>" successfully!
vue is escaping html but toasted
is not, here is the code:
handleFormSubmit: function(response) {
this.showAddSiteModal = false;
if (response.data.status === 'success')
{
console.log(response.data.message);
this.$toasted.success(response.data.message); //<<< problem here
this.addSite(response.data.site);
}
else
{
this.$toasted.error(response.data.message);
}
},
在php端使用htmlspecialchars() 。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.