Issue resolved after adding a button availability check and increasing wait time. WebElement continueBtn = driver.findElement(By.xpath("//span[text()='CONTINUE']")); if(continueBtn.isDisplayed()) { try { Thread.sleep(8000); System.out.println("Waiting time 6s"); } catch (InterruptedException e) { e.printStackTrace(); } js.executeScript("arguments[0].click();", continueBtn); }else { System.out.println("Button not found"); }

With a simple search on the internet you can get a bunch of such websites. Here are a few I found, https://www.freecodecamp.org/ - This one I'm also using to learn JS. https://www.java5cript.com/code-challenges https://www.jschallenger.com/ https://javascript30.com/

You're asking for two different things. Your javascript is asking whether image loading is complete, the image has a naturalWidth property that is not "undefined" and the image has a naturalWidth > 0. If any one of these conditions fail, the javascript will evaluate to false. This also means if the property you are querying isn't present on the image object, the javascript will evaluate to false. By comparison, the selenium call to isDisplayed() is asking if the image is displayed and nothing more. If the image is actually present and showing on the screen, then since the call to imagePresent = profileImage.isDisplayed() is returning correct results, I wouldn't bother with the more complex call.

I don't have experience with scripts in Tasker but if it uses common JavaScript then you should be able to remove the text before the URL easily using this script: var idx = astext.indexOf("https://"); var link = astext.substring(0,idx); First search for the string https:// and save the start index. Then cut everything away from start to the saved index.

After some research and digging github issues, here is my own solution: In general I have to do: inject custom/self-written JS to chrome android figure out why it didn't work and the element value changes back to its old / empty value call correct function so 'react' framework can change the input element AND its internal / 2-way binded data First step: inject custom/self-written JS to chrome android From this question: https://android.stackexchange.com/questions/159308/how-can-a-bookmarklet-be-added-on-mobile-chrome-without-copying-and-pasting/210701 I learned that I can add custom JavaScript to bookmark in chrome First step cleared Second step: figure out why it didn't work and the element value changes back to its old / empty value First look, wonder why the value was not changed even after injecting code like: document.querySelector(`#otherfield`).value=`000111222333444555666777888999` ; So I suspected if it used some kind of JavaScript framework to do 2-way data binding (bind a variable value with an input element). To detect which framework they used, I installed this extension: Library Detector https://chrome.google.com/webstore/detail/library-detector/cgaocdmhkmfnkdkbnckgmpopcbpaaejo (disclaimer: I'm not associated with the author of said extension) The result: they used react.js So, the reason why it didn't work and the element value changes back to its old / empty value is because it used react 2-way data binding Second step cleared Third step: call correct function so 'react' framework can change the input element AND its internal / 2-way binded data After some googling, I find this github issue: https://github.com/facebook/react/issues/11488 which links to this issue comment: https://github.com/facebook/react/issues/10135#issuecomment-314441175 Basically the solution is to call such function: function setNativeValue(element, value) { const valueSetter = Object.getOwnPropertyDescriptor(element, 'value').set; const prototype = Object.getPrototypeOf(element); const prototypeValueSetter = Object.getOwnPropertyDescriptor(prototype, 'value').set; if (valueSetter && valueSetter !== prototypeValueSetter) { prototypeValueSetter.call(element, value); } else { valueSetter.call(element, value); } } setNativeValue(textarea, 'some text'); textarea.dispatchEvent(new Event('input', { bubbles: true })); After changing my JS to function setNativeValue(element, value) { const valueSetter = Object.getOwnPropertyDescriptor(element, 'value').set; const prototype = Object.getPrototypeOf(element); const prototypeValueSetter = Object.getOwnPropertyDescriptor(prototype, 'value').set; if (valueSetter && valueSetter !== prototypeValueSetter) { prototypeValueSetter.call(element, value); } else { valueSetter.call(element, value); } } var element1 = document.querySelector(#urname); setNativeValue(element1, kristian); element1.dispatchEvent(new Event('input', { bubbles: true })); var element2 = document.querySelector(#secretid); setNativeValue(element2, abcdefghijkl); element2.dispatchEvent(new Event('input', { bubbles: true })); var element3 = document.querySelector(#otherfield); setNativeValue(element3, 000111222333444555666777888999); element3.dispatchEvent(new Event('input', { bubbles: true })); And then enclosing them in javascript:(function(){ ... })() Now it works perfectly

From https://stackoverflow.com/a/45131867/129805 You can use "eval", e.g. create or replace function my_function() returns text language plv8 as $$ // load module 'test' from the table js_modules var res = plv8.execute("select source from js_modules where name = 'test'"); eval(res[0].source); // now the function test() is defined return test(); $$; select my_function(); CREATE FUNCTION my_function this is a test (1 row) https://rymc.io/blog/2016/a-deep-dive-into-plv8/

TL,DR: It's impossible to do so client side. Client side validation is just a client convenience, not useful to really validate anything. You don't want the client to mistype his email, putting an invalid char somewhere, and have to wait the form being submitted, the server parsing it, and sending back an error 5 seconds later, you want the error to show instantly. You validate on the client, but you ignore the client validation entirely and validate again on the server. If the validation is made client-side, the client may submit the request by hand, bypassing all validation. Even if you use hashing, signing, obfuscating or anything else, the result is an HTTP request and the client can intercept it and tamper it. If your use case is what you asked, server validation it's not difficult at all. Have a table with all questions and all valid answers, and check every client answer with the table. On the first invalid answer you stop the processing and send back an empty page. the number of possible permutations could make validation very difficult. You have to choose between server-side (from trivial to very difficult) and client side (not possible at all). I believe the choice is easy.

If you read a search of https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=react , you can get a sense for the scope of possible vulnerabilities. Mostly it is a lot of cross-site scripting vulnerabilities.

The Content Security Policy has the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src . With 'unsafe-inline' being overridden, and no 'unsafe-hashes', inline event handlers such as you're adding are inoperative. I expect your XSS will work if you use a browser that doesn't understand the CSP 'strict-dynamic' directive (which, being part of CSP level 3, is newer than 'unsafe-inline'). However, that's mostly only going to be very outdated versions of modern browsers, or Internet Explorer.

There is still a risk of exploits using object streams, malformed Rich text format using rtf control words. I work in an environment where all attachments and documents are manually scanned in a sandboxed environment to ensure the security of that document/attachment. There is a good article from Mcafee regarding the use of RTF and OLE attacks https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/

This is not a javascript, POST or HTTPS problem, it affects all data received by a web server. Although realizing that someone might edit a URL might be easier to realize that cookies and other HTTP request headers cannot be trusted. You cannot prevent the data from being manipulated, an attacker could use an intercepting proxy such as burp or fiddler, the browser developer tools. Or even manually construct the request using curl or while fiddly I sometimes do something like this: echo -ne 'POST /uri HTTP/1.1\r\nHost: hostname.com\r\nContent-Type: application/json\r\n\r\n{"key":"value"}\r\n\r\n' | \ openssl s_client -connect hostname.com:443 This is why web application security often focuses quite heavily on input validation. Such as the OWASP proactive controls: https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs Validating the data server side can be tricky, but as you cannot trust the data you receive there aren't many other options. In addition to validating the data you'll also need to ensure you handle it in context safe ways, like using parameterized database queries and encoding html characters in page output.

Looking at a single HTTP response with status code 302 can not be used to make any assumptions about previous communication with the site, including no assumptions about the existence or the content of previous HTTP responses from the site. It is even possible that the same requests sometimes serves content and other times results in a 302 redirect. As for returning script within the same response as the 302: The status code by itself might not be sufficient information for this. I think one can rely on common browsers not executing the body of the response if they actually do a redirect. But a server can send a HTTP response with code 302 which does not cause a redirect, for example by omitting the Location header. For example Google Chrome will happily execute code in a HTML response served with status code 302 and a missing Location header. By combining this with a script based redirect one can make it look like a redirect was caused by status code 302, but still execute code before the redirect: HTTP/1.1 302 ok Content-type: text/html

JIT compilers are at risk of an attack-aiding technique called " https://en.wikipedia.org/wiki/JIT_spraying ", which is a way to get around NX (data execution prevention) protections when dropping a shellcode. The idea is that you create a large number of mathematical operations involving very large constants (32-bit or even 64-bit, using all the bytes) in your JS (or other language to be JIT-compiled), and when the compiler converts them into machine code and makes the resulting page in memory writable, you have a ready-made program (or at least collection of executable gadgets) if you jump into it at an offset. That is, because you control every byte (arbitrary control over the ones in the constants; the ones in the opcodes are predictable but more restricted), you can create code that does something totally under you control, if you enter it offset from an actual instruction boundary. This is the same approach used to create ROP gadgets, but unlike ROP gadgets (which are often in other libraries, whose addresses are randomized by ASLR), with a JIT spray you can create the perfect shellcode, including a NOP sled if your exploit doesn't afford precision targeting. Note that JIT spraying is not itself an exploit, any more than ROP is; it's a way to get from "control of the instruction pointer" to "arbitrary code execution" on a modern machine with modern exploit mitigations (like NX, ASLR, etc.). The attacker still needs an exploit - typically a memory corruption - to gain that control. JIT spraying does have mitigations of its own. One option is "constant blinding", where the JIT randomly selects an XOR mask and, every time it would emit an operation containing a constant (or "immediate") operand, it instead XORs the constant with the mask, and emits two instructions (an XOR that undoes the step the JIT just did, and the original operation upon the unmasked operand now present in a register). However, constant blinding has a performance impact (additional ALU operations, decreased cache density, increased register usage). Other possibilities include doing something similar to ASLR on a local scale (scattering compiled machine code haphazardly, on the basis that any given spray will now be fragmented) or inserting NOPs (not necessarily the classic opcode for them, just any non-state-changing operation) between real instructions (on the basis that this will break non-aligned instruction streams). Obviously these also have performance impact. Of course, none of these mitigations cost nearly as much performance as turning JIT compilation off entirely... Another security risk with JIT compilers is that it increases attack surface. Compilers have bugs sometimes, like any complicated piece of software, and a known compiler bug can sometimes be used to generate illegal (per the language spec) operations such as writing to addresses that aren't supposed to be under user control (e.g. directly setting the address or length of an array's backing buffer). Interpreters also have tons of attack surface, but usually can't be turned off (even with JIT enabled, some code gets passed to the interpreter) so disabling JIT is still a reduction in total attack surface. Finally, some attacks require the malicious code to be "close to the metal" in a way that interpreters don't really support, but compilers (including JIT) do. For example, consider the (original) Spectre CPU bug of four years back. Exploiting Spectre required executing in very small windows of time (performing a memory lookup before the speculative execution branch was terminated), using very precise timing to measure the results (difference between a cache hit and a cache miss), and of course required that the target address not be evicted from the cache before being tested. This is relatively easy with compiled code, but an interpreter might well have produced so many extra steps (including slow and cache-modifying memory accesses) that it would be totally impractical to get the tight code and accurate timings needed. Now, with all that said... the typical reason you might want to disable JIT is actually not security at all. As I said above, compilers can be buggy, and JITs are no exception. Even aside from security risks, somebody investigating a bizarre misbehavior in their code might disable the JIT to see if that was the cause. Additionally, JITs are considerably less portable than the rest of the browser (by their nature, they must be specific to every instruction set and sometimes OS), so somebody working on porting a browser to a new platform might disable the JIT by default in early releases (even after it's nominally working) due to higher-than-normal risk of bugs causing script errors. As for what JS-based attacks are not prevented, anything in the JS runtime (which is where most security bugs are found). For example, a double-free, use-after-free, buffer overflow (due to failure to check bounds or integer overflow or so on), etc. While these bugs might manifest differently when JIT is used or not, the underlying logic bug in the runtime that causes e.g. an object to be garbage collected while still available to the code (use after free) is typically going to manifest regardless of whether the user-supplied code is compiled or not. Such vulnerabilities have been a threat to JS engines since they were introduced in the 90s.

The https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element that the src attribute must point to a valid image resource that is neither paged nor scripted. The src attribute must be present, and must contain a valid non-empty URL potentially surrounded by spaces referencing a non-interactive, optionally animated, image resource that is neither paged nor scripted. ... However, these definitions preclude SVG files with script, multipage PDF files, interactive MNG files, HTML documents, plain text documents, and the like. Whether a future browser complies with this or not is a different story.

There are quite a number of valid event attributes for an option tag. portswigger has a nice https://portswigger.net/web-security/cross-site-scripting/cheat-sheet for any given tag (just select the option as tag). onclick eg works in firefox: It will execute when you select (ie click on) the option in question. onfterscriptexecute will work in firefox without user interaction, as long as the page contains javascript that will execute: portswigger is a bit outdated on Chrome (most of the payloads I tried do not work anymore), but eg this still works: It requires a pre-defined animation code (via keyframes) on the target page though.

That script is added to the loading of your site as part of Cloudflare's Bot Fight Mode, found under the Firewall > Bots settings. I've noticed it can add considerable delay to page load time as reported in speed tests such as GT Metrix. I am not aware of any way around it, except to disable that feature in Cloudflare, and potentially use another method of bot protection. Suitable alternatives will somewhat depend on what kind of bots you were trying to protect your site from.

There are several few confusions here, which I'll try to clear up for you. HTTP/HTTPS requests don't get access to storage at all. However, scripts running on a page get access to storage for the domain of the page they're running on (completely regardless of where that script comes from originally). The scripts can make requests, including using the info from localstorage. However, anything from localstorage that a script wants to have present on a request, the script has to explicitly put it there. Cookies, on the other hand, are sent automatically with requests, based on where the request is sent to (not where it's sent from)! The cookies are sent whether or not they are exposed to script (that is, they're sent even if they are marked "httponly", in which case they wouldn't show up to document.cookie for a script running on the destination domain). If a cookie is set for domain A (and not yet expired), there are only three common reasons it might not attend a request that is sent to A: The cookie is marked "secure" but the request is over unsecured HTTP The cookie is marked "samesite" but the request is coming from a totally different domain The request is being made cross-origin using a script, and the script did not specify to send "credentials" with the request (There are other less-common reasons, like the "path" property, but those are the most relevant three). Every aspect of an HTTPS request - not just the cookies but also all other headers, the entire body, and the entire URL except for the port, IP address, and maybe the domain name - is encrypted for HTTPS requests. That means if you stick a value from localstorage into an HTTPS request anywhere - as part of the URL path/query, in a header including a cookie, or in the body - it will be encrypted such that only the destination server can read it. Stealing data from localstorage generally requires injecting a script (a.k.a. "cross-site scripting" or XSS) into a page running on that origin (because "scripts on pages from that origin" are the only things that have access to localstorage). If my script is running on your site's page, I can almost certainly figure out who the user is! Either the page itself will tell me (e.g. through the presence of the user's name somewhere on the page, which a script can pull out of the DOM), or from a JWT or similar that I can read it out of or by using either the page's cookies, or using secrets in localstorage to make an authenticated request to the server in a way that reveals the user's identity (e.g. by requesting and parsing their profile page). With that context established, let's talk about cookies vs. localstorage. There are a few other questions about that on this site, but it boils down to this: For authentication tokens (JWTs, opaque session tokens, API keys, etc.) the advantage of using cookies is that they can be marked "httponly" in which case a malicious script injected into the page (XSS) can't steal them (though it can still use them, because they're added to every request to the relevant site automatically!). The downside of cookies is that they make you vulnerable to CSRF. Using localstorage inverts these risks (no CSRF, but impossible to prevent stealing the token if XSS happens). There are other ways to prevent CSRF, though, and they're usually easier than preventing XSS (although there are ways to do that too, and of course "can't steal the token" doesn't mean XSS isn't a problem!). For data that needs to be visible to client-side scripts, but not necessarily sent to the server on every request, use localstorage. For data that needs to be sent to the server (or at least to some particular server) with every request but isn't used client-side, use a cookie. Scope its domain as tightly as possible, set the "secure" and "httponly" flags, and set the "samesite=lax" flag unless it needs to be sent on cross-site requests ("samesite" on a cookie holding the access token will prevent CSRF, at least from third-party domains, for modern browsers).

This specific code is unlikely to be vulnerable to XSS, but only because the URL in href was not decoded. For example, visiting bad.html?x= would write the following to to the page: https://example.com/bad.html?x=%3Cscript%3Ealert(%22xss%22)%3C/script%3E This is because the <, >, and " characters are encoded as part of the URL. However, if the javascript on the page was to pass location.href through the decodeURI function first, i.e. writing decodeURI(location.href), it would be vulnerable. The following would be written to the document: https://example.com/bad.html?x=

Could a user get / change the client-side JavaScript code, and send some kind of bad message to the server? (e.g., SQL injection) Given that in almost all cases the server has no sufficient control over the client, it is practically never safe to blindly trust that the client will only send the expected data. This is true for "normal" HTTP requests, API calls, WebSockets, mail, instant messaging ... What are the ways of preventing that? Always rigorously verify user input before using it a potentially dangerous way. Also use techniques which prevent injection attacks by design, like https://bobby-tables.com/ instead of constructing SQL instructions using string concatenation with untrusted user input.

See https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues , where it reads: The Crypto.getRandomValues() method lets you get cryptographically strong random values. (emphasis mine) In contrast, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random , where it reads: Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method. (emphasis mine)