One is the problem of header insertion.
The other is the rn problem.
Let’s look at this piece of code:
1. test
2.
Everyone can see that there seems to be a loophole, but it has been patched and commented out.
Now that it’s commented out, shouldn’t there be a problem?
No.
Look at this URL again
http://localhost/index.jsp?username=kxlzx
alert('kxlzx
Isn’t it frustrating?
The following code was generated:
test
The commented out JS was also executed. <script> <BR>3. //alert('<%=request.getParameter("username")%>'); <BR>4. </script>So, don’t use useless The code, commented out JS, etc. are thrown into html. <script> <BR>//alert('kxlzx <BR>alert('kxlzx '); <BR></script>Code review is a delicate job, and any omissions are worth noting.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
