OffensiveWeb Get started

Pug

Pug

Pug is a simple templating language that lets you generate HTML markup with plain JavaScript.

XSS

Unescaped Attributes

By default, all attributes are escaped. If you need to use special characters, use != instead of =.

div(escaped="<code>")
=> <div escaped="&lt;code&gt;"></div>
div(unescaped!="<code>")
=> <div unescaped="<code>"></div>

p = 'This code <strong>is</strong> escaped!'
=> <p>This code &lt;strong&gt;is&lt;/strong&gt; !</p>
p != 'This code is' + ' <strong>not</strong> escaped!'
=> This code is <strong>not</strong> escaped!

div#foo(data-bar="foo")&attributes({'data-foo': 'bar'})
=> <div id="foo" data-bar="foo" data-foo="bar"></div>

Attributes applied using &attributes are not automatically escaped.

Unescaped Strings

Safe:

p You're logged in as #{user.name}

Unsafe:

p You're logged in as !{user.name}

Unescaped Protocol

a(href="javascript:alert(document.domain)")
Prev
Prototype Pollution
Next
Ruby