Menu
I have been performing some xss / javascript-injection / penetration-testing on my asp.net site recently and noticed that modern web-browser (ie latest FF and Chrome) are escaping the urls entered into the address bar.
So:
http://example.com/search/?q="><script>alert('hi');</script>
is sent to my server as:
http://example.com/search/?q=%22%3e%3cscript%3ealert(%27hi%27)%3b%3c%2fscript%3e
Is there a list of all (major) browsers that do this and those that do not? Do mobile browsers do this?
846
I think all browsers escape the urls except those haveing bugs and not following RFCs (RFC3986).
108
If i am not mistaken you can use http://browsershots.org/ or something similar to test it.
Example test: http://browsershots.org/requests/12461378
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
