Why run away and avoid XSS

Question

Why run away and avoid XSS

I'm just wondering if anyone knows about a utility where not escaping from &to &leads to Cross Site Scripting vulnerability? I thought about it, but could not come up with an example.

Thanks in advance Konne

+3

xss

Konstantin weitz Feb 08 '11 at 1:14

source share

2 answers

TheTestManager · Answer 1 · 2011-02-18T18:30:43+0000

You can try something like this

& # 39; + warning (1) + & # 39;

worked on search.twitter.com until today.

https://twitter.com/#!/kinugawamasato/status/38539726470397952

user3276899 · Answer 2 · 2014-09-02T09:29:28+0000

A lot depends on where the injection is, but a simple example would be

<a href="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;">XSS</a>

html- javascript: alert (1), XSS. iframe src, document.location =, window.open() , html .

, URL ,

<a onclick='http://www.foo.com?injection=&#39;*alert(1)*&#39;'>XSS</a>

html , onevent javascript.

Why run away and avoid XSS

More articles: