You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 19, 2018. It is now read-only.
I was testing the filter against a set of XSS test inputs. It seems that your filter is still vulnerable to XSS such as with inputs that contain XSS payloads in the HTML tags. Examples are:
<a href="jAvAsCrIpT:alert(1)">X</a> <img src=xx:xx" on error="alert(1);">, where it filters the on error="alert(1);" but not the <img src=xx:xx".
I kindly suggest that the whitelist used by the filter restricts tags with these attributes and events to make it more robust against XSS. Also, due to the Integer.decode() API, the filter outputs an error with inputs that contain #09, for example: <A HREF="h tt p://6	6.000146.0x7.147/">XSS</A>
A full report can be read in our paper, "Assessment of Dynamic Open-source Cross-site Scripting Filters as Security Devices in Web Applications".
Thank you.
The text was updated successfully, but these errors were encountered:
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
I was testing the filter against a set of XSS test inputs. It seems that your filter is still vulnerable to XSS such as with inputs that contain XSS payloads in the HTML tags. Examples are:
<a href="jAvAsCrIpT:alert(1)">X</a>
<img src=xx:xx" on error="alert(1);">
, where it filters theon error="alert(1);"
but not the<img src=xx:xx"
.I kindly suggest that the whitelist used by the filter restricts tags with these attributes and events to make it more robust against XSS. Also, due to the Integer.decode() API, the filter outputs an error with inputs that contain
#09
, for example:<A HREF="h tt p://6	6.000146.0x7.147/">XSS</A>
A full report can be read in our paper, "Assessment of Dynamic Open-source Cross-site Scripting Filters as Security Devices in Web Applications".
Thank you.
The text was updated successfully, but these errors were encountered: