The php example on the docs page uses a pattern that is not xss safe, while this may not be directly exploitable if the report script is setting the correct content-type, it is still a good practice to provide safe examples (it might be exploitable if the content-type is text/html).
jsErrLog.removeScript(<?=$_GET['i']?>);
at least requires a regex check to avoid xss
<?
$i=$_GET['i'];
if(preg_match('/^[0-9]+$/',$i)===FALSE) [
$i=0;
}
?>
jsErrLog.removeScript(<?=$i?>);(I hope I got the script correct, typed this from memory)
The php example on the docs page uses a pattern that is not xss safe, while this may not be directly exploitable if the report script is setting the correct content-type, it is still a good practice to provide safe examples (it might be exploitable if the content-type is text/html).
at least requires a regex check to avoid xss
(I hope I got the script correct, typed this from memory)