Bug report: XSS in "magic wand" for URL encode on mouseover

### Summary
Using the URL encoding with "all characters" works as expected with proper escaping. The "magic wand" however used for automatic decoding triggers an XSS on mouseover.

The automatic decoding via mouseover does not properly sanitize the given input.

The vector requires user interaction and is not persistent. This is most likely unexpected and unwanted behaviour and exploitation is very unlikely.

Verified on Chrome Version 71.0.3578.98 (Official Build) (64-bit) and Mozilla Firefox 64.0.

### Example
Using the payload "<script>alert(1234)</script>" as input and "url encode all characters" as recipe the following behaviour can be reproduced. Other Javascript will also be executed.

Script execution is triggered at least by mouseover on the "magic wand".

- https://gchq.github.io/CyberChef/#recipe=URL_Encode(true)&input=PHNjcmlwdD5hbGVydCgxMjM0KTwvc2NyaXB0Pg


![2019-01-30_19-05](https://user-images.githubusercontent.com/15184352/52002565-a9a61500-24c2-11e9-9574-d72831385b1b.png)
![2019-01-30_19-06](https://user-images.githubusercontent.com/15184352/52002570-a9a61500-24c2-11e9-8432-fa44c324116b.png)



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug report: XSS in "magic wand" for URL encode on mouseover #484

Summary

Example

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Bug report: XSS in "magic wand" for URL encode on mouseover #484

Description

Summary

Example

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions