I stumbled upon a web app which is accepting user input and putting it into a variable within
script tag does have a nonce attribute.
As am working on bypassing the XSS filter, I had this thought that this practice of reflecting user input within an inline script with nonce attribute renders nonce useless.
Is my understand correct or am I missing something here ?
Go to Source