anonymous
Reputation: 271
Why does this error occur when it shouldn't?
I've been writing a script that will check for reflective XSS vulnerabilities. I'm having an error on a part that checks if you have "http://" or "https://" in your URL and '*' in the place of queries. However, when I put https://google.com/#q=*", it results inERROR! MISSING 'http://', OR 'https://'!`. Here's my code:
<!DOCTYPE html>
<html>
<head>
<title>Slingshot.XSS</title>
</head>
<body style="font-family:monospace;" align="center">
<h2>Slingshot.XSS</h2>
<h3>Slingshot.XSS is a script that launches pre-loaded XSS payloads at a target to test its vulnerabilities.</h3>
<h4>Please report all issues to <a href="https://github.com/keeganjk/slingshot.xss/issues"></a> or contact me at [email protected].</h4>
<a href="github.com/keeganjk/slingshot.xss" style="font-family:monospace" align="center">Source Code / Learn More</a>
<br />
<h4>Enter a URL with <b>*</b> in the place of query.</h4>
<h5>Example: https://www.google.com/#q=*</h5>
<input type="text" id="myText" placeholder="Enter a URL"> <button onclick="myFunction()">Submit</button>
<p id="demo">No Submitted URL</p>
<script>
function myFunction() {
var x = document.getElementById("myText").value;
// Error check
if ( !x.includes("*") && ( !x.includes("http://") || !x.includes("https://") ) ) {
document.getElementById("demo").innerHTML = "ERROR! MISSING \'*\' IN PLACE OF QUERY, \'http://\', AND \'https://\'!";
x = false;
return 0;
}
if ( !x.includes("*") ) {
document.getElementById("demo").innerHTML = "ERROR! MISSING \'*\' IN PLACE OF QUERY!";
x = false;
return 0;
}
if ( !x.includes("http://") || !x.includes("https://") ) {
document.getElementById("demo").innerHTML = "ERROR! MISSING \'http://\', OR \'https://\'!";
x = false;
return 0;
}
document.getElementById("demo").innerHTML = x;
}
</script>
</body>
</html>
What am I doing wrong?
Upvotes: 0
Views: 66
Answers (3)
thedude
Reputation: 9812
I've refactored your function to show how you can reduce the complexity of the code when you separate the validation logic from the rendering of the errors.
function myFunction() {
var errors = [];
var x = document.getElementById("myText").value;
if (!x.includes("http://") && !x.includes("https://")) {
errors.push('missing HTTP or HTTPS');
}
if (!x.includes("*")) {
errors.push('missing * in place of query')
}
// render the errors
if (errors.length) {
x = 'Error: ' + errors.join(', ') + '!';
}
document.getElementById("demo").innerHTML = x;
}
<!DOCTYPE html>
<html>
<head>
<title>Slingshot.XSS</title>
</head>
<body style="font-family:monospace;" align="center">
<h2>Slingshot.XSS</h2>
<h3>Slingshot.XSS is a script that launches pre-loaded XSS payloads at a target to test its vulnerabilities.</h3>
<h4>Please report all issues to <a href="https://github.com/keeganjk/slingshot.xss/issues"></a> or contact me at [email protected].</h4>
<a href="github.com/keeganjk/slingshot.xss" style="font-family:monospace" align="center">Source Code / Learn More</a>
<br />
<h4>Enter a URL with <b>*</b> in the place of query.</h4>
<h5>Example: https://www.google.com/#q=*</h5>
<input type="text" id="myText" placeholder="Enter a URL"> <button onclick="myFunction()">Submit</button>
<p id="demo">No Submitted URL</p>
<script>
function myFunction() {
var errors = [];
var x = document.getElementById("myText").value;
if (!x.includes("http://") && !x.includes("https://")) {
errors.push('missing HTTP or HTTPS');
}
if (!x.includes("*")) {
errors.push('missing * in place of query')
}
if (errors.length) {
x = 'Error: ' + errors.join(', ') + '!';
}
document.getElementById("demo").innerHTML = x;
}
</script>Upvotes: 0
Abhinav Galodha
Reputation: 9878
You need to write the if condition correctly.
Change the condition from
if ( !x.includes("http://") || !x.includes("https://") ) {
to
if ( !(x.includes("http://") || x.includes("https://")) ) {
In this way, you raise the error only when the url doesn't contain either http:// or https://
Complete Code:
<!DOCTYPE html>
<html>
<head>
<title>Slingshot.XSS</title>
</head>
<body style="font-family:monospace;" align="center">
<h2>Slingshot.XSS</h2>
<h3>Slingshot.XSS is a script that launches pre-loaded XSS payloads at a target to test its vulnerabilities.</h3>
<h4>Please report all issues to <a href="https://github.com/keeganjk/slingshot.xss/issues"></a> or contact me at [email protected].</h4>
<a href="github.com/keeganjk/slingshot.xss" style="font-family:monospace" align="center">Source Code / Learn More</a>
<br />
<h4>Enter a URL with <b>*</b> in the place of query.</h4>
<h5>Example: https://www.google.com/#q=*</h5>
<input type="text" id="myText" placeholder="Enter a URL"> <button onclick="myFunction()">Submit</button>
<p id="demo">No Submitted URL</p>
<script>
function myFunction() {
var x = document.getElementById("myText").value;
// Error check
if ( !x.includes("*") && ( !x.includes("http://") || !x.includes("https://") ) ) {
document.getElementById("demo").innerHTML = "ERROR! MISSING \'*\' IN PLACE OF QUERY, \'http://\', AND \'https://\'!";
x = false;
return 0;
}
if ( !x.includes("*") ) {
document.getElementById("demo").innerHTML = "ERROR! MISSING \'*\' IN PLACE OF QUERY!";
x = false;
return 0;
}
if ( !(x.includes("http://") || x.includes("https://")) ) {
document.getElementById("demo").innerHTML = "ERROR! MISSING \'http://\', OR \'https://\'!";
x = false;
return 0;
}
document.getElementById("demo").innerHTML = x;
}
</script>
</body>
</html>Upvotes: 0
Pat_Morita
Reputation: 3535
You check if http is not in OR https is not in. One of both will always be true. Perform the checks one after another... for example
Upvotes: 3
Related Questions
- If/Else Statement Failing
- What is wrong with this 'if' JavaScript statement?
- Error in If statement Javascript
- Whats wrong with this JavaScript if statement?
- Odd error in Javascript "if" statement
- If else javascript error
- Why am I getting a Javascript "if" failure?
- Problems with an IF statement in JavaScript
- What is wrong with this javascript if statement
- what is wrong with this if condition in Javascript?