|
|
Web Application Security
XSS - Double Quote break out and White Space filtered May 28 2009 06:13AM arvind doraiswamy (arvind doraiswamy gmail com) (2 replies) RE: XSS - Double Quote break out and White Space filtered May 28 2009 09:00AM PortSwigger (mail portswigger net) (1 replies) Re: XSS - Double Quote break out and White Space filtered May 28 2009 02:46PM arvind doraiswamy (arvind doraiswamy gmail com) (1 replies) RE: XSS - Double Quote break out and White Space filtered May 29 2009 02:48AM Jeff Williams (planetlevel gmail com) |
|
Privacy Statement |
> Problem 1:
> Here's what is allowed:
>
> ( ) : ; &
Is "=" allowed as well? Without that, it's going to be difficult, I
think.
With =, you can use an onmouseover event handler and a style attribute
to enlarge the input field and make it transparent (so that the event
handler actually fires). Both can be &-encoded to bypass the filter.
This will work in any browser; direct script injection into style
attributes is quite browser-specific.
[ reply ]