I stumbled upon a web app which is accepting user input and putting it into a variable within script tag.
The script tag does have a nonce attribute.
As am working on bypassing the XSS filter, I had this thought that this practice of reflecting user input within an inline script with nonce attribute renders nonce useless.
Is my understand correct or am I missing something here ?
Go to Source
Author: Rahul