Merge pull request #316 from immortal71/fix/xss-lab3-regex-pattern

RupakBiswas-2304 · web-flow · commit ea2d7151bfc6 · 2026-01-11T16:56:02.000+05:30
Fix XSS Lab 3: Change regex pattern to allow JSFuck-style payloads
diff --git a/introduction/templates/Lab/XSS/xss.html b/introduction/templates/Lab/XSS/xss.html
@@ -104,9 +104,14 @@ <h4>Exploiting the Reflection of the search query </h4>
         <button class="coll btn btn-info">Lab Details</button>
         <div class="lab">
             <p class="bp">
-                This lab is a demonstration of a Reflected XSS
+                This lab is a demonstration of a Reflected XSS with alphanumeric filter bypass.
             </p>
-            <p class="bp">The goal of this challenge is to trigger an alert, User input is being Reflected on script Tag, but the real challenge lies in the fact that all alphanumeric characters are escaped. Can you find way to pop an alert ?
+            <p class="bp">
+                The goal of this challenge is to trigger an alert. User input is being reflected in a script tag, but all alphanumeric characters (letters A-Z, a-z, and digits 0-9) are removed from your input.
+                Can you find a way to execute JavaScript using only special characters?
+            </p>
+            <p class="bp">
+                <b>Hint:</b> Research "JSFuck" - a technique to write JavaScript using only 6 characters: <code>[]()!+</code> (though other special characters are also available)
             </p> 
          
 
diff --git a/introduction/views.py b/introduction/views.py
@@ -122,9 +122,10 @@ def xss_lab2(request):
 def xss_lab3(request):
     if request.user.is_authenticated:
         if request.method == 'POST':
-            username = request.POST.get('username')
-            print(type(username))
-            pattern = r'\w'
+            username = request.POST.get('username', '')
+            # Remove only alphanumeric characters (letters and digits)
+            # This allows special characters like []()!+ for JSFuck-style payloads
+            pattern = r'[a-zA-Z0-9]'
             result = re.sub(pattern, '', username)
             context = {'code':result}
             return render(request, 'Lab/XSS/xss_lab_3.html',context)
