OWASP's XSS Filter Evasion Cheat Sheet mentions "& JavaScript includes":
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes
The example it provides is as follows:
<BR SIZE="&{alert('XSS')}">
I tried it on jsfiddle with Chrome and Firefox and I'm not getting a JS popup. So on what browsers / versions is this supposed to work on?
The URL:
http://jsfiddle.net/rL1z32xb/
You'll need to break out your copy of Netscape 4 to reproduce it.
Newer versions of Netscape (and every other browser) do not allow that use of the &
operator.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With