siimots
changed the title
Script tag in Tooter Text breaks window.preloadData
Script tag in Footer Text breaks window.preloadData
Oct 6, 2022
siimots
changed the title
Script tag in Footer Text breaks window.preloadData
Script tag in Footer Text breaks window.preloadData at Status Page
Oct 6, 2022
window.preloadData did parse to an JSON object.
The real problem is that, cheerio removed the end tag unexpectedly.
Oh no, just spent some time on it. In the past, I always think JSON.stringify is the best way to escape. Turned out it is not. It is more complex than I thought.
Description
Script tag in custom footer text breaks window.preloadData and it gets added to page.

Also side effect is that you can load custom JS/XSS there if use this footer text:
"</script><script>alert()</script>"window.preloadData should escape script to avoid parse error
window.preloadData crashes when script tag is in Footer Text.
1.18.0
Windows 10
Edge latest
No response
No response
No response
The text was updated successfully, but these errors were encountered: