我想使用javascript作为示例的文本。 以下是代码:
<p>
<!-- XSS Example 1 -->
<h5> Here you can see how the XSS works <h5>
<img src="example/xssexample1.jpg" alt="XSS Example 1">
<br><br>
<!-- ************************************************************************************************** -->
<!-- XSS Example 2 -->
<h5> Example of injecting malicious JavaScript: <h5>
<img src="example/xssexample2.jpg" alt="XSS Example 2">
<br><br>
Now the attacker can craft a URL in the following format and send it to the victim:
<br><br>
http://www.test-attack.com/index.php?name=myuser <script>alert(‘hacked’)</script>
When the victim loads the URL shown above into the browser, he will see an alert box with the text "hacked".
Even though this specific example doesn’t cause any damage besides the annoying "hacked" pop-up,
it’s clear how an attacker can use this simple and straightforward method to exploit websites and applications.
</p>
所以我希望http://www.test-attack.com/index.php?name=myuser <script>alert(‘hacked’)</script>作为文字,但你只能看到没有JavaScript代码的网址。
我加载了jquery,所以我想问一下是否可以让它可见?
答案 0 :(得分:1)
你必须为标签转义<和>,以便它们作为文字字符而不是html标签解释。
<的HTML代码为<,>的HTML代码为>(分别意味着小于和大于)。
所以你必须这样写:
<script>alert(‘hacked’)</script>