I was just wondering, does anybody know a usecase where not escaping the & to & leads to Cross Site Scripting vulnerabilities? I thought about it but couldn't come up with an example.
Thanks in开发者_Go百科 advance Konne
You could try something like this
'+alert(1)+'
was working on search.twitter.com up to earlier today.
https://twitter.com/#!/kinugawamasato/status/38539726470397952
A lot depends on where the injection lands, but a simple example would be
<a href="javascript:alert(1)">XSS</a>
which is an html encoded payload javascript:alert(1) which will fire when the XSS link is clicked. This can also be used in an iframe src, document.location=, window.open(), or other methods that would cause the html encoded payload to be decoded and then executed.
Another example would be landing inside of an onevent which reflects the URL with injection such as
<a onclick='http://www.foo.com?injection='*alert(1)*''>XSS</a>
The html encoded payload will be decoded, break out of the onevent syntax and fire the injected javascript.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论