Constructing a web page with (unsanitised) string substitutions

This web page contains JavaScript code that mimics the behaviour of a web server that generate a web page using the template below:

<h4> ${name}&apos;s Blog! </h4> ${description} <img align="right" src="${photo_url}"> <p><a href="https://ourdomain.nl/contact?user=${name}">User info for ${name} </a></p> <p><b onmousedown="alert('Welcome to the blog by ${name}!')">Click here for a silly pop-up</b></p> <p> If you want to go to ${name}'s name homepage, <a href="${homepage_url}">click here</a>.

Here we use no encodings whatsoever, so it should be easy to create problems by providing weird input as parameters. These problems could be execution of scripts (i.e. XSS), corrupting links, or simply breaking stuff and ending up with a totally mangled web page. Try to see if you can inject scripts in the various field. Or simply try to get the parsing of the HTML, the URLs, or (the string literals in) the JavaScript to go off the rails.

Supplying the parameters

Enter the value for ${name}

Enter the value for ${description}

Enter the value for ${photo_url}

Enter the value for ${homepage_url}

Generating the web page

Hitting the buttons below executes a JavaScript function generateWebPage that uses the values above to generate an HTML web page. The buttons use two different techniques provided by the DOM API to get your browser to render the generated HTML: innerHTML and document.write().

Below the generated webpage will appear

Scripts inlined between <script> tags will not be executed, others might.

Here the generated webpage will appear