I go through so many forums and wikipedia, since I spent 2-3 days trying to figure out XSS assemblers, but still donโt understand how to propose several solutions by experts, and I want to know how hackers can introduce malicious code to the victims browser? and my application was used to run on the standard app scanner app scanner, so it found so many XSS issues. I want to put here one of the XSS questions about my application, so someone may like it, help me understand what exactly I should do for this problem. However, I am trying a lot to better understand the problems of XSS. This is my piece of code.
function getParameter(param) { var val = ""; var qs = window.location.search; var start = qs.indexOf(param); if (start != -1) { start += param.length + 1; var end = qs.indexOf("&", start); if (end == -1) { end = qs.length } val = qs.substring(start,end); } return val; } var formName = getParameter("formName"); var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>'; document.getElementById('calendarA').innerHTML = myValue;
And these statements
var qs = window.location.search; val = qs.substring(start,end); var formName = getParameter("formName"); var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>'; document.getElementById('calendarA').innerHTML = myValue;
using the application scanner testing tool as possible code for XSS (Cross Site Scripting), but I'm not sure how this is related to XSS and how I can fix this problem now. Can someone explain how this vulnerability can be fixed?
Venki source share