Why can't we have some AntiXss Literal html tag
Question
Nowadays I am learning about web security, XSS, etc. As XSS basically targets a client-agent (web browser) by injecting some malicious code that is executed by the web browser as it was inserted by an authenticated user. Now the question is Why can't we have a tag in html that just shows literals and prevents the execution of anything inside it?
Something like:
<!-- The code below will not be executed and just treated as literal content by a web browser -->
<ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
</ltrl>
So if I would have something like this in html then it were shown as
<script type="text/javascript">alert('You have been xssed');</script>
in web browser.
1 answers
solution1
8 ACCPTED 2012-01-01 11:47:54
Suppose the contents of the text supplied by the attacker was:
</ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
<ltrl>
the total markup would be
<ltrl>
</ltrl>
<script type="text/javascript">alert('You have been xssed');</script>
<ltrl>
</ltrl>
and your defence has been trivially breached.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.