Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

& JavaScript includes

OWASP's XSS Filter Evasion Cheat Sheet mentions "& JavaScript includes":

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes

The example it provides is as follows:

<BR SIZE="&{alert('XSS')}">

I tried it on jsfiddle with Chrome and Firefox and I'm not getting a JS popup. So on what browsers / versions is this supposed to work on?

The URL:

http://jsfiddle.net/rL1z32xb/

like image 861
neubert Avatar asked Aug 22 '15 17:08

neubert


1 Answers

You'll need to break out your copy of Netscape 4 to reproduce it.

Newer versions of Netscape (and every other browser) do not allow that use of the & operator.

like image 191
Abhi Beckert Avatar answered Oct 31 '22 21:10

Abhi Beckert