0
 Python Auto <script type="text/javascript"> alert("JavaScript alert"); </script>

I have a undo button and im passing below javascript and html escaped text as a parameter to its on click javascript code. above is the fully unescaped text.

'Python&#x5c;x20Auto&#x5c;x20&#x5c;x3Cscript&#x5c;x20type&#x5c;x3D&#x5c;x22text&#x5c;x2Fjavascript&#x5c;x22&#x5c;x3E&#x5c;x20alert&#x5c;x28&#x5c;x22JavaScript&#x5c;x20alert&#x5c;x22&#x5c;x29&#x5c;x3B&#x5c;x20&#x5c;x3C&#x5c;x2Fscript&#x5c;x3E&#x5c;x20'

When i try to test the website, the undo button element have its parameter written as below (I clicked F12 and checked the element)

'Python\x20Auto\x20\x3Cscript\x20type\x3D\x22text\x2Fjavascript\x22\x3E\x20alert\x28\x22JavaScript\x20alert\x22\x29\x3B\x20\x3C\x2Fscript\x3E\x20'

When i click the undo button i'm displaying a popup. The question is that before this popup the alert box is show with "Javascirpt alert" text even though i have escaped the text for html and javascript. The popup box for undo button shows only the "Python Auto" text but not the script.

Lloyd95
  • 73
  • 7
  • Tried real hard but cudn't understand you question.:( – Vinay Nov 04 '16 at 10:41
  • http://stackoverflow.com/questions/40422236/script-tag-is-missing-when-printing-a-javascript-escaped-text @Novice Could you please answer this question. – Lloyd95 Nov 04 '16 at 12:06

0 Answers0