Skip to main content
Problem 27

Find and Fix the XSS in a Comment Form

MEDIUMREVIEW
Security+3

This comment form works fine for normal users — but it has two security vulnerabilities that would let an attacker run arbitrary JavaScript in anyone's browser.

Your job is to find both bugs in main.js and fix them. No new features needed, no UI changes required. Just close the holes.

A payload is something like <img src="x" onerror="alert('hacked')"> pasted into the comment box. Right now that works. It shouldn't.

Requirements
  • Normal comments — plain text names and comment bodies — must still render correctly after your fix.
  • A comment body containing an HTML tag (e.g. <b>bold</b>) must be displayed as literal text, not parsed as HTML.
  • A comment body containing <img onerror=...> must not cause any JavaScript to execute.
  • A website URL beginning with javascript: must not be rendered as a clickable href — either strip it, replace it with #, or skip rendering the link entirely.
  • Both fixes must be present. Fixing only one will leave two judge checks red.
Examples
Example 1
Input
Comment body: `Hello, world!`
Output
Comment renders with the text "Hello, world!" visible.
Note

Normal input must still work after your fix.

Example 2
Input
Comment body: `<img src="x" onerror="window.__XSS__=true">`
Output
The literal text is shown. No JS runs.
Note

The onerror handler must never fire — use textContent, not innerHTML.

Example 3
Input
Website URL: `javascript:alert(1)`
Output
No link is rendered, or the link's href is sanitized to a safe value.
Note

javascript: URLs run code when clicked. Only http:// and https:// are safe.

Constraints
  • Fix the bugs in main.js. You may also edit index.html if needed.
  • Do not remove the comment form or the comment list — they must remain functional.
  • The fix must work for any malicious payload, not just the specific examples above.
Follow-up

This fix handles XSS at the rendering layer. Real apps often use a Content Security Policy (CSP) header as a second line of defense — even if a payload somehow gets into the DOM, a strict CSP prevents it from executing. How would you write a CSP that blocks inline scripts but still allows your app to function?

Hints
Related Practice
Track
Security

Keep moving through related security problems and build a stronger search-friendly practice loop around this topic.

View track →
Console output will appear here...