Vulnerability Development mailing list archives
Re: Can you exploit this XSS?
From: "Sverre H. Huseby" <shh () thathost com>
Date: Thu, 20 Nov 2003 08:03:05 +0100
| What you have run into is called attribute encoding. When dealing
| html tag attributes enclosed inside of quotation marks, the only
| char that is "required" to encode is ".
One should encode & as well, as was done in the initial example. & is
a metacharacter everywhere, including inside attribute values. (And
old Netscape would parse &{alert(document.cookie)}; as JavaScript
inside attribute values.)
| Depending on the browser it may be possible to trick some browsers
| into thinking your html is broken by injecting line feeds and
| starting up new tags.
Yes, some browsers are very forgiving. They may parse stuff that
isn't well formed HTML (if such a thing can be said to exist :) )
Sverre.
--
shh () thathost com
http://shh.thathost.com/
Current thread:
- Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? Robin (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? dd (Nov 19)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 20)
- Re: Can you exploit this XSS? Paul Johnston (Nov 20)
- Re: Can you exploit this XSS? mark (Nov 25)
- Re: Can you exploit this XSS? Peter Pentchev (Nov 26)
- <Possible follow-ups>
- RE: Can you exploit this XSS? Scovetta, Michael V (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- RE: Can you exploit this XSS? Parity (Nov 24)
- RE: Can you exploit this XSS? Dawes, Rogan (ZA - Johannesburg) (Nov 21)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 21)
- Re: Can you exploit this XSS? Robin (Nov 19)