Cross Site Scripting injection

后端 未结 1 1063
我寻月下人不归
我寻月下人不归 2021-02-09 14:15

I am testing a web application. I want to write an XSS script that will display an alert \"Hello\".

The first script I wrote was:

相关标签:
1条回答
  • 2021-02-09 14:50

    Most likely that site replaces double quotes with HTML entities or tries to escape them in some other way that makes them unsuitable for JavaScript. When using String.fromCharCode(...) you don't have to use any quotation marks so it'll work. It gets a list of the ASCII codes of the string's characters and creates a string out of them during runtime. So there's no need for any quoting.

    The proper way to avoid this kind of XSS is to replace < with &lt; - that way a script tag cannot be created at all.

    Note that >, " and & should also be replaced with their respective HTML entities when sanitizing data containing HTML! However, only < is absolutely required to defeat XSS attacks assuming no untrusted data can be used in HTML attributes (that's where " needs to be sanitized)

    0 讨论(0)
提交回复
热议问题