<script>alert('XSS');</script>

醉了，跑这里来测试XSS来了

https://github.com/cnodejs/nodeclub/blob/master/controllers/topic.js#L114

  var title   = validator.trim(req.body.title);
  title       = validator.escape(title);
  var tab     = validator.trim(req.body.tab);
  tab         = validator.escape(tab);
  var content = validator.trim(req.body.t_content);

jysperm 3楼•9 年前

标题是不是多了转义一次？