To make that happen, the attacker would still need to trick the victim into clicking on this button.
Anatomy of a campaign to inject JavaScript into compromised WordPress sites.for Google: Web giant talks up 40 new Chromebook models, school-focused ChromeOS So, if the query string parameter is something like javascript:alert(document.domain), will clicking this button run JavaScript code in the context of the domain? It sure will!' 'Is there some link validation in between? Nope. 'It’s a query string parameter,' Palant explains in his post. The page contained a “View on Classroom” button that sent the user to Google Classroom using this code: window.open(urseworkLink) Palant found an XSS bug on an error page that gets presented when a user tries to submit a video after already submitting one for an assignment.