Skip to main contentGo back to the homepage

I am Fernando van Loenhout
A Full stack developer!


Tag security


How I found a TypeScript public playground XSS exploit

This article has been posted under the following categories: blog, security, xss and typescript

In 2021, I was playing around with the online TypeScript sandbox, when I discovered a weird issue. When trying to write XML to the terminal, it instead of showing me the string representation, it was actually executing it.

While it makes sense for a code sandbox to execute the code you input, it is important it stays within the sandbox, as the sandbox has the proper restrictions put on the javascript environment, which includes blocking cookie access and fetch access at a minium.

The exploit