is xss possible if these chars & " ' / not entity encoded?

Cenzic 232 Patent

Paid Advertising

sla.ckers.org is
ha.ckers sla.cking

Q and A for any cross site scripting information. Feel free to ask away.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

is xss possible if these chars & " ' / not entity encoded?

Posted by: bnz

Date: December 17, 2009 05:57PM

reviewing some code, it removes angle brackets but not & " ' / before output into data between tags ie <div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div>

can this be exploited?

Options: Reply•Quote

Re: is xss possible if these chars & " ' / not entity encoded?

Posted by: p0deje

Date: December 17, 2009 11:48PM

try using different charsets
http://ha.ckers.org/charsets.html

EDIT: see http://ha.ckers.org/xss.html Character Encoding Calculator

---------
http://p0deje.blogspot.com

Edited 1 time(s). Last edit at 12/17/2009 11:54PM by p0deje.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login