" onclick="alert('do evil here')" onfocus="alert('do evil here')" foo="
It errors out, and my javascript is now in the input box. They click the name and then it runs my javascript.
It's great you've escaped < and >, but you need to do more.
" onclick="alert('do evil here')" onfocus="alert('do evil here')" foo="
It errors out, and my javascript is now in the input box. They click the name and then it runs my javascript.
It's great you've escaped < and >, but you need to do more.