HI EVERYONE,
I could not find any solution on previous topics here so I thought I could open a discussion here. The project I am working on is in Yii1.1, recently got tested, and it turned out that you can efficiently perform an XSS injection in the URL and the web app lets the script perform.
The only step to making the script work is to encode the javascript piece like this:
https://localhost/new/<script>alert(1)⁢/script>.
Output:
How can I clean this Url from not generating javascript output?