I did some xss / javascript-injection / penetration-testing on asp.net and noticed that modern web-browsers (i.e. the latest FF and Chrome) are escaping the URLs entered into the address bar.
So:
http://example.com/search/?q= "> <script> alert ('hi'); </script>
sent to my server as:
http://example.com/search/?q=%22%3e%3cscript%3ealert(%27hi%27)%3b%3c%2fscript%3e
Is there a list of all the (main) browsers that do this, and those that don't? Can mobile browsers do this?
I think all browsers avoid URLs except those that have errors and do not follow the RFC ( RFC3986 ).
If I'm not mistaken, you can use http://browsershots.org/ or something similar to check it out.
Test example: http://browsershots.org/requests/12461378
Source: https://habr.com/ru/post/975030/More articles:Is there a way to speed up my grid when I have many rows? - angularjsIs each interface explicitly implemented? (IoC participation) - c #Compiling scss files in ASP.NET MVC action - sassThe essential fragment is changing the fragment, as well as replacing underscores with spaces in the mirror text - sublimetext2How to tune Meteor Oplog Tailing to shards of Mongo DB - meteorHow to force npm nested dependency in package.json - node.jsHow to clear Django login message from framework - pythonGeometry vs. BufferGeometry Best Practices for New Projects? (R68) - three.jsQt: How to add two widgets (say, QPushButton) to the status bar, one to the left and the other to the right? - c ++"function reference" as a result of the function - delphiAll Articles