If the attacker can control the value of the input field
Source, they can easily construct a malicious value that causes their script via
Sink to execute, allowing the attacker to deliver an attack using a malicious URL, in the same manner as reflected XSS.
You should avoid allowing data from any untrusted source to dynamically alter the value that is transmitted to any sink.
If the desired functionality of the application means that this behavior is unavoidable, then defenses must be implemented within the client-side code such as :
- The relevant data can be validated on a whitelist basis, only allowing content that is known to be safe.
- It will be necessary to sanitize or encode the data.