I have a simple example.js file that that is included in a html
<script src="example.js"></script>
'use strict';
function getURLParameter(name) {
return new URLSearchParams(window.location.search).get(name)
}
function myFunction() {
var myParam = '?my_param=' + getParam('my_param');
$.ajax({
cache: false,
url: 'https://example.com' + clientParam,
type: 'GET',
[....]
}
Is the above javascript vulnerable to XSS ? I would have thought that var myParam = '?my_param=' + getParam('my_param') or even the part inside the avax call when doing the string concatenation would be but I can't break the string and the " gets replaced by '\"'
for example something as simple as this
https://mypage.com?my_param=test';alert(1);
I thought would replace var myParam = '?my_param=' + getParam('my_param'); by
var myParam = '?my_param=test';alert(1);
No.
JavaScript does not execute strings returned from functions as if they were JS source code. They are just strings.