poll on xss possibility
I know the real answer but i'm just interested into what people think. So,
having in mind the following characters are not
allowed:%,!,",:,;',@,#,&,(,),\,',>,{,}.[,],?,-. and the following keywords
are not allowed (case insensitive):
alert,confirm,prompt,href,/script,eval,throw. All those disallowed
characters are replaced with the symbol |. Now the xss will be in a get
variable which when entered will echo back the input once filtered, the
output will be as it is, it will not be in any attributes. Any other
encoding types like utf-7 will not be possible. Only utf-8. Is xss in this
case possible? If so, how?
No comments:
Post a Comment