OWASP's XSS Filter Evasion Cheat Sheet mentions "& JavaScript includes":
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes
The example it provides is as follows:
<BR SIZE="&{alert('XSS')}">
I tried it on jsfiddle with Chrome and Firefox and I'm not getting a JS popup. So on what browsers / versions is this supposed to work on?
The URL:
You'll need to break out your copy of Netscape 4 to reproduce it.
Newer versions of Netscape (and every other browser) do not allow that use of the &
operator.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.