You can also run JS on the page. Try searching for: jv98y4yt47tgfuf4<img src=dhd... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

jshuf7g on Aug 5, 2015 | parent | context | favorite | on: Hulbee – A Safe, Smart, Innovative Search Engine

You can also run JS on the page. Try searching for:

    jv98y4yt47tgfuf4<img src=dhdu4ye.jpg onerror="alert('XSS')">

on Aug 5, 2015 [2 more]

[deleted]

jshuf7g on Aug 5, 2015 | [–]

You could log data about the user (example by captaincrunch in their updated comment), directly modify the way the page looks (e.g. a fake virus alert page) or simply redirect the user to any site you want.

It's bad on a 'normal' site, but even worse here given their target market.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact