>but this will work (on phbb 2.0.6):
>[url=http://www.google.fr" onclick="alert('Hello')]text[/url]
>
>I don't remeber who has said that it will work on every version of phpBB
>but i've tested it on phpBB 2.0.4 and it doesn't work.
>An other person has said that it only works with this code:
>[url=http://www.google.fr" onclick="alert('Hello');"]text[/url]
>I've tested it on 2.0.6 and it works but the code without the ;" works
>also.
These discrepancies might be due to differences in how web browsers
render "bad" HTML, rather than a quirk in phpBB.
Since the first example URL doesn't have a closing double-quote
character in the onclick value, some browsers may ignore it
altogether.
It seems likely that some types of XSS-style attacks would only work
in certain web browsers.
Which browsers (and versions) were used when testing this bug?
keupon_ps2 (at) yahoo (dot) fr [email concealed] said:
>but this will work (on phbb 2.0.6):
>[url=http://www.google.fr" onclick="alert('Hello')]text[/url]
>
>I don't remeber who has said that it will work on every version of phpBB
>but i've tested it on phpBB 2.0.4 and it doesn't work.
>An other person has said that it only works with this code:
>[url=http://www.google.fr" onclick="alert('Hello');"]text[/url]
>I've tested it on 2.0.6 and it works but the code without the ;" works
>also.
These discrepancies might be due to differences in how web browsers
render "bad" HTML, rather than a quirk in phpBB.
Since the first example URL doesn't have a closing double-quote
character in the onclick value, some browsers may ignore it
altogether.
It seems likely that some types of XSS-style attacks would only work
in certain web browsers.
Which browsers (and versions) were used when testing this bug?
- Steve
[ reply ]