Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
innerHTML based XSS in Nette #1496
output reflects in different context and one of them is an attribute context. In test-bed, input lands as a value of
Now if you will input ``onmouseover=alert(1), Nette does not escape back-tick as can be seen in the output.
For testing innerHTML based XSS, I have used this tool: http://html5sec.org/innerhtml/ created by Mario Heiderich.
TL;DR Whole idea of these kind of vectors is that server expects browser will behave according to standards or at least not segfault/hang. Today one should expect no less from IE and old browsers.
It is mXSS attack not XSS. m stands for mutation and it is problem of browsers handling of
It is mostly problem of IE family but there are some issues with old Firefox and Chrome. It might be possible to force IE 9+ to use old engine susceptible to it.
I wanted to write some funny hyperbole but this IE flaw just makes me sad.
Yes. we can even force modern browsers to behave like old one with the help of options available in meta tag (Attacker needs to frame the page first and then can set page behavior)...
@dg Thanks for quick fix.
I had one more comment. I am looking at the test-bed http://hoola.cz/nette-xss-test/?do=form-submit that you had created during earlier issue for Nette testing in different context.
My question is related to style context. If I input harmless style e.g., color:red then it should work but what I received as an output is