stackoom
  简体   繁体   中英

& JavaScript includes

 原文  2015-08-22 17:51:43       javascript/ xss/ owasp

Question

OWASP's XSS Filter Evasion Cheat Sheet mentions "& JavaScript includes":

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes

The example it provides is as follows: 

<BR SIZE="&{alert('XSS')}">

I tried it on jsfiddle with Chrome and Firefox and I'm not getting a JS popup. So on what browsers / versions is this supposed to work on?

The URL:

http://jsfiddle.net/rL1z32xb/

1 answers

solution1
 8  2015-08-22 17:59:14

You'll need to break out your copy of Netscape 4 to reproduce it.

Newer versions of Netscape (and every other browser) do not allow that use of the & operator.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JavaScript includes TypeScript equivalent of JavaScript includes() Javascript includes() is not a function pass array to includes() javascript javascript includes problems and pitfalls Javascript .includes() not working in IE Javascript Arrays Opposite of Includes Javascript search div with includes JavaScript Includes Method Link URL that includes JavaScript
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM