Home/ Questions/Q 6548399
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T11:58:03+00:00

I have some JavaScript which retrieves a user-submitted querystring value, sets a hidden field’s

  • 0

I have some JavaScript which retrieves a user-submitted querystring value, sets a hidden field’s VALUE to the parameter, then posts the form automatically.

This is all done on page load. Is there any potential for XSS?

<script>
    function autoSubmit(){
        var url = ... /* retrieve URL from querystring parameter */
        document.getElementById("txt").value = url;
        document.getElementById("myform").submit();
    }
</script>
<!-- ...... --->
<body onload="autoSubmit()">
<form id="myform" name="myform" method="POST" action="http://www.mysite.com/someform.php">
 <input id="txt" name="txt" type="hidden" value="" />
</form>
</body>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No. You are not executing remote code anywhere and you aren’t allowing users to enter their own Markup.
    But are you sure you are concerned about XSS?

    The site is likely vulnerable to some form of XSRF for the usual XSRF Reasons:

    • I’m asuming (since you mentioned query parameters) you are loading this page via a HTTP GET, yet it directly leads to a POST which (likely) modifies data in some way. Users might be tricked into clicking a link with evil parameters (sessionstealing?)
    • Again: Asuming you have not taken any other precautions, posting from a remote location might have the same effect.

    More in depth anaylsis would require looking at your someform.php

    • 0