Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.
For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.
const [text] = createResource(() => {
return new URL(getRequestEvent().request.url).searchParams.get("text");
});
return (
<>
Text: {text()}
</>
);
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.
For instance,
?text=<svg/onload=alert(1)>would trigger XSS here.