Multiple shortcodes with embedded JavaScript code in same page, how?

I’m developing a plugin that use shortcodes to display some “special” buttons on frontend. These shortcodes generate HTML, CSS and JavaScript for the button so, if the user insert multiple shortcodes in the same page (to have more than one button), the same JavaScript code is repetead for each shortcode (button). How can I allow the user to insert multiple buttons in the same page without replicate JavaScript code more than one time?

For example: if the user insert 3 buttons on the page when one of these buttons is clicked the click event handler function is exectuted 3 times…

Why is JavaScript executed manually from the browser console not allowed to access everything?

Why is JavaScripts executed manually from the browser console not allowed to access “everything”? Especially the “visited” status (see this question) of links? What kind of security threat would that pose?

Usually, users have full access to their environment, sometimes with a little bump in the form of entering the root password or similar. Why is this an exception?

(I am not saying that scripts downloaded from a web page should have this access. I understand why that is a threat to the user’s privacy etc.)

How can I trace/debug the origin of a specific POST/JS variable in JavaScript in Firefox?

Premise: I’m trying to automate posting on Stack Exchange. Not for abuse, but to have my own interface instead of having to bookmark and use the various “StackSites” and being subjected to the insulting “Viewed 1 times” bug which is never fixed no matter how many times it’s reported.

I have everything ready except for one small detail: the POST variable “i1l” is only set through JavaScript, in an extremely convoluted manner, to the point where I’m convinced that it is specifically done to stop any kind of automation. (Also, to make it clear, SE prevents any client that doesn’t have JavaScript enabled from posting at all.)

I asked about it previously here:

One of the comments mentions Stack Exchange apparently being open source now, and links to a GitHub URL, but I searched all over it and found no mention at all of this variable. It’s only present in the (heavily minified/obscurified) JavaScripts loaded on the actual site. So clearly it isn’t open source after all, at least not fully.

As it’s a complete mystery to me how this variable is determined, and it needs the right value or else it doesn’t let you post, I’m wondering if somebody can tell me how to “debug”/trace this specific variable in Firefox.

I cannot use their API because it requires you to have an account and only use that, which is not good for privacy. I want to be able to “ask as guest” for the StackSites that support it, and the API doesn’t let you do that.

I frankly doubt it would help me much even if I could follow this variable around, step by step, because the JS code I have dug up seems absolutely nonsensical to me. The very name is extremely cryptic and nothing indicates what it would be used for if not to prevent people from posting.

Note: Even if I were to abuse this, which again I’m not, the “one post per IP address per 90 minutes” limit, as well as the constant “too much abuse from your network, sorry” messages make it nearly impossible to abuse anyway. I get those constantly when trying to post perfectly legitimate questions.

JavaScript Snowfall

I used JavaScript to create a snowfall script for web pages. It's just for fun, and I thought I would share. I'm testing it at and you can take a look at it in action. I designed the script to run on any page using just one line of HTML.

To add my snowfall to your page, visit and copy the HTML text and paste it within your web page's <head> section. It should run automatically.

You can view the JavaScript code, here:…

JavaScript Snowfall

How does one populate an app with content when using a front end javascript framework?

For the last month or so I have been struggling with this question. One of the next logical steps in my studies of front end development is to learn how to use a JavaScript framework such as Angular or Vue.js. However, I feel blocked by this one issue that comes to mind.

How does one populate a website with content (say from a database) with a framework like Vue or Angular?

Based on my current research I have come to the conclusion that the only way to do this would be by loading the page and then using client-side JavaScript to request the relevant data after the initial load.

This, to me, seems very inefficient.

Is there any way to render the page beforehand while still keeping all the features of the frontend framework?

Can a URL contain executable JavaScript?

I am learning about “Session fixation” and have read the corresponding OWASP page.

In their Example 2 in the above page, they describe an attack via JavaScript, that is embedded in the URL like:


I tried this with an embedded <script>alert("XSS!!");</script>, but as expected, it did not work.

Is there ANY way, an URL can run embedded JavaScript?

Note: This question is somewhat similar to Execute reflected XSS in URL, but I am talking about scripts in the URL, not from a HTTP header.

Is this javascript vulnerable to dom based XSS?

I was testing and i found a js reflection point. If i send the following request:"'-confirt(1)-'

I can see the following in server response:

<script nonce=""> window.meta = { "token": "Token\"xss=\"'-confirt(1)-'", "dToken": "dt\"xss=\"'-confirt(1)-'", "Id": "11" </script>

Is this code vulnerable to Dom Based XSS? If yes, which payload could i try to trigger an alert box?

I already tried to close the </script> tag but < and > are filtered.

Coding the Javascript part of a TinyMCE plugin: the IDE can’t resolve the tinymce variable

I’ve copied a very basic plugin for WordPress which adds a button to TinyMCE.

The code is correct and works. But while I’m coding (in PHPStorm), the IDE can’t resolve the javascript objects. How can I configure PHPStorm (or a generic IDE) to see the code of TinyMCE included in WordPress?

enter image description here

Check user membership of current user in security group using javascript

I am working on SharePoint 2016 on-premises environment. I need to implement the some functionality based on the result whether the currently logged-in user is a part of a security group or not using javascript/jquery. Can someone advise on how I can check the user membership in a security group?

How editing html and javascript of a website makes it vulnerable? [duplicate]

This question is an exact duplicate of:

  • Is bypassing client-side protections a XSS vulnerability?

I was practicing web pentesting on this level of ctf2 and I was supposed to edit the HTML and the Javascript to get rid of the input validation and < > sanitization. I succeded after looking up the solution elsewhere.

Now what I don’t understand is why modify the HTMLand the Javascript. The changes will be lost once the page is reloaded, so how does that makes it dangerous? Is this how XSS is done, by editing the HTML/Javascript and injecting script tags to the input fields? And how does it threaten real users?

I know the challenge was ‘simple’ and there are no users who are threatened, but is it the same concept in real life? Thanks in advance.