Spot the bug: Bad Escape

Date: Message-Id:
Tags: #security(3)

Hi! I wrote some Excellent Javascript that lets you change an image based on the funny little characters you type in the box at the bottom. I’ve vaguely heard of XSS, so I know that I should escape the characters, so I copied the escaping rules from Tera.

Namely, replacing &, <, >, ", \``, and /` with their associated HTML entities.

Your task is to call submitFlag with the string value <>. If you succeed, I will alert a fun message for you :)

View source is allowed but shouldn’t be needed, hopefully the text here is clear enough.

I’ll create a <img src=/img/{user input}> and stick it below :)

The img that was created was

You can type in this box:

And then click