User talk:Jeff Williams

Revision as of 13:43, 5 November 2009 by Jeff Williams (Talk | contribs)

Jump to: navigation, search

Injecting DOWN
The less common way to perform XSS injection is to introduce a code subcontext without closing the current context. For example, if you change <img src="...UNTRUSTED DATA HERE..." /> to <img src="javascript:alert(1)" /> you do not have to escape the HTML attribute context. Instead, you introduce context that allows scripting within the src attribute. Another example is the expression() functionality in CSS properties. Even though you may not be able to escape a quoted CSS property to inject up, you may be able to introduce something like xss:expression(document.write(document.cookie)) without ever leaving the current context.