HTML Tag Injection

Easy+50 XPA03:2021 InjectionCWE-79

XSSOutput EncodingHTML

Scenario

Your application renders user-submitted comments in an HTML page by interpolating username and comment directly into a template.

Neither field is HTML-escaped, allowing attackers to inject arbitrary HTML and JavaScript.

A stored XSS attack in a comment field can steal session cookies from every user who views the page.

Stored XSS in comment fields is one of the most common web vulnerabilities. It can lead to session hijacking, credential theft, and drive-by malware delivery.

Your Tasks

Inspect renderComment — it interpolates username and comment with no escaping.
Fix it: escape the following characters in both fields before inserting into HTML:
& → & < → < > → > " → " ' → '
Return {html: escapedHtmlString}.

Examples

Example 1 — Script tag injected via comment (bug)

renderComment('alice', '<script>alert(1)</script>')
// html contains raw <script> tag — XSS!

Example 2 — Script tag safely escaped

renderComment('alice', '<script>alert(1)</script>')
// html contains &lt;script&gt;alert(1)&lt;/script&gt;

Constraints

›Both username and comment must be escaped
›Return an object {html: string} — not a bare string
›Plain text with no special characters must appear unchanged in output

Hint

References

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html https://owasp.org/www-project-top-ten/2021/A03_2021-Injection

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run