Re: Can you exploit this XSS?
Next message: Paul Johnston: "Re: Can you exploit this XSS?"
Date: Thu, 20 Nov 2003 08:03:05 +0100
To: dd <dd@ghettohackers.net>
| What you have run into is called attribute encoding. When dealing
| html tag attributes enclosed inside of quotation marks, the only
| char that is "required" to encode is ".
One should encode & as well, as was done in the initial example. & is
a metacharacter everywhere, including inside attribute values. (And
old Netscape would parse &{alert(document.cookie)}; as JavaScript
inside attribute values.)
| Depending on the browser it may be possible to trick some browsers
| into thinking your html is broken by injecting line feeds and
| starting up new tags.
Yes, some browsers are very forgiving. They may parse stuff that
isn't well formed HTML (if such a thing can be said to exist :) )
Sverre.
--
shh@thathost.com
http://shh.thathost.com/
Next message: Paul Johnston: "Re: Can you exploit this XSS?"
Relevant Pages
- Re: ie6 wont display *some* images. AOL browser works fine.
... This was a "fix" that I had previously tried. ... main page is UTF-8 according to the HTML. ... Also, other browsers like Firefox ... > a conflict with a certain HTML tag that causes it and MS has no permanent ...
(microsoft.public.windows.inetexplorer.ie6.browser) - Re: Code to check for HTML messages being sent
... What WordMail does, and that's the only editor available in Outlook 2007, may be butt ugly but it does comply with standards. ... I can't comment on your HTML but what I do when I play with things like that is to make my changes and then put the text into Notepad and save it as an HTML file and see how it plays in IE. ... I can see that it has the beginning of the HTML tag, and everything has been split over lines the way I want it. ... In truth it is rubbish that Word does not comply to RFC standards, or at the very least give you the ability to configure those parts that might cause incompatibility with other systems, especially those known to to non-compliant. ...
(microsoft.public.outlook.program_vba) - Re: Code to check for HTML messages being sent
... Of course the HTML code is not necessarily bad, and it works fine in a browser. ... It is the SMTP compliance that I am talking about. ... The massaging occurs after the email leaves your control in Outlook. ... I can see that it has the beginning of the HTML tag, and everything has been split over lines the way I want it. ...
(microsoft.public.outlook.program_vba) - RE: .Net control style sheet question
... Html behavior. ... But, unfortunately, there is no "readonly" attribute for "select" html tag. ... In the javascript code, I set the new-created "select" object's position ... You can invoke hidedropdownlistat any client javascript event as you ...
(microsoft.public.dotnet.framework.aspnet.webcontrols) - regex for replacing plain text within html string...
... i have a tricky problem and my regex expertise has reached its limit. ... preserve the html, and replace some of the plain text. ... problems because the keyword may appear in markup tags or attribute ... it essentially matches the keyword inside the inner text of a html tag ...
(microsoft.public.dotnet.framework.aspnet) |
|
