XSS 10-xss.php - (Single quote char ['] exploitation may not work, depending on the PHP version) DOM JavaScript exploitation still works.

[stub1t]

Hi,

I think the XSS example (XSS/2/10-xss.php) is no longer vulnerable.
According to the PHP manuals on htmlspecialchars they changes the default flags of htmlspecialchars enabling ENT_QUOTES by default now.

[brumensywh]

Hey!

First of all, thanks for the feedback! It's always appreciated to see that people that are involved into improving the code and keep it working as it should! :)

Indeed the single quote char (') exploit scenario depends on the version of the PHP and it appears as you said that they updated it to a default behavior (finally)

WARNING SPOILER BELOW

However, this is a DOM XSS which makes it interesting...
JavaScript allow Unicode, Hex and Octal. This makes it possible to preform an XSS still! ;)

Example of exploitation:

Best Regards,
Brumens

[stub1t]

Appreciate the detailed answer 👍
Yes sorry, it is still exploitable. I stopped when I read about the new ENT_QUOTES default as I tried it with the latest PHP release.
Thought that was the catch of the challenge, Definitely learned something new here, thanks!

[brumensywh]

Hey!

I'm just grateful you're letting me know. Cool that you learned something new! :)

Best Regards,
Brumens