OWASP's XSS Filter Evasion Cheat Sheet mentions "& JavaScript includes": https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes The example it provides is as follows: <pre class="prettyprint"><code> </code></pre> I tried it on jsfiddle with Chrome and Firefox and I'm not getting a JS popup. So on what browsers / versions is this supposed to work on? The URL: http://jsfiddle.net/rL1z32xb/

You'll need to break out your copy of Netscape 4 to reproduce it. Newer versions of Netscape (and every other browser) do not allow that use of the <code>&</code> operator.

& JavaScript includes

Tags:

javascript

xss

owasp

OWASP's XSS Filter Evasion Cheat Sheet mentions "& JavaScript includes":

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes

The example it provides is as follows:

<BR SIZE="&{alert('XSS')}">

I tried it on jsfiddle with Chrome and Firefox and I'm not getting a JS popup. So on what browsers / versions is this supposed to work on?

The URL:

http://jsfiddle.net/rL1z32xb/

861

asked Aug 22 '15 17:08

neubert

1 Answers

You'll need to break out your copy of Netscape 4 to reproduce it.

Newer versions of Netscape (and every other browser) do not allow that use of the & operator.

191

answered Oct 31 '22 21:10

Abhi Beckert

Recent Activity
Apple Pay - authorize.net returns error 153 only when live, sandbox works
How to continue cursor loop even error occured in the loop
python find all neighbours of a given node in a list of lists
Fatal error: Call to a member function setColumn() on a non-object in Magento
Count how many of each value from a field with MySQL and PHP
Python 32-bit development on 64-bit Windows [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With