Difference between revisions of "User talk:Jeff Williams"

From OWASP
Jump to: navigation, search
Line 4: Line 4:
 
}}
 
}}
  
<img src="javascript:alert(1)
+
;Injecting DOWN:The less common way to perform XSS injection is to introduce a code subcontext without closing the current context. For example, if you change <img src="...UNTRUSTED DATA HERE..." /> to <img src="javascript:alert(1)" /> you do not have to escape the HTML attribute context.  Instead, you introduce context that allows scripting within the src attribute. Another example is the expression() functionality in CSS properties. Even though you may not be able to escape a quoted CSS property to inject up, you may be able to introduce something like xss:expression(document.write(document.cookie)) without ever leaving the current context.

Revision as of 14:43, 5 November 2009

Injecting DOWN
The less common way to perform XSS injection is to introduce a code subcontext without closing the current context. For example, if you change <img src="...UNTRUSTED DATA HERE..." /> to <img src="javascript:alert(1)" /> you do not have to escape the HTML attribute context. Instead, you introduce context that allows scripting within the src attribute. Another example is the expression() functionality in CSS properties. Even though you may not be able to escape a quoted CSS property to inject up, you may be able to introduce something like xss:expression(document.write(document.cookie)) without ever leaving the current context.