示例 - dom.jsp代码:

    1. <%@ page contentType="text/html;charset=UTF-8" language="java" %>
    2. Date: <span style="color: red;"></span>
    3. <input type="hidden" value="<%=request.getParameter("date")%>" />
    4. <script>
    5. var date = document.getElementsByTagName("input")[0].value;
    6. document.getElementsByTagName("span")[0].innerHTML = date;
    7. </script>

    正常请求测试:http://localhost:8000/modules/servlet/dom.jsp?date=2020-11-15%2015:57:22
    4. 3. DOM XSS - 图1
    XSS攻击测试:http://localhost:8000/modules/servlet/dom.jsp?date=%3Cimg%20src=1%20onerror=alert(/xss/)%20/%3E%20/%3E)
    4. 3. DOM XSS - 图2