Revisions to Cross site scripting when the greater than and less than signs are escaped?

updated owasp link

edit approved Apr 25, 2020 at 21:40

103
3

Oh yes it is!

Consider this HTML:

<a href="{{str}}">

and consider an input like:

" onmouseover="alert('GOTCHA')"

You get the picture.

If your javascript is being injected within a tag then you don't need the angle brackets. I borrowed this off this similar S/O post: https://stackoverflow.com/questions/5696244/xss-is-escaping-and-sufficient

If you are interested in filter evasion like this consult:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://owasp.org/www-community/xss-filter-evasion-cheatsheet

This has all the common stuff.

As far as safety is concerned: Encode all the things! You never know how clever the attacker is.

Oh yes it is!

Consider this HTML:

<a href="{{str}}">

and consider an input like:

" onmouseover="alert('GOTCHA')"

You get the picture.

If your javascript is being injected within a tag then you don't need the angle brackets. I borrowed this off this similar S/O post: https://stackoverflow.com/questions/5696244/xss-is-escaping-and-sufficient

If you are interested in filter evasion like this consult:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

This has all the common stuff.

As far as safety is concerned: Encode all the things! You never know how clever the attacker is.

Oh yes it is!

Consider this HTML:

<a href="{{str}}">

and consider an input like:

" onmouseover="alert('GOTCHA')"

You get the picture.

If your javascript is being injected within a tag then you don't need the angle brackets. I borrowed this off this similar S/O post: https://stackoverflow.com/questions/5696244/xss-is-escaping-and-sufficient

If you are interested in filter evasion like this consult:

https://owasp.org/www-community/xss-filter-evasion-cheatsheet

This has all the common stuff.

As far as safety is concerned: Encode all the things! You never know how clever the attacker is.

replaced http://stackoverflow.com/ with https://stackoverflow.com/

Source Link

edited May 23, 2017 at 12:40

Community Bot

1

Oh yes it is!

Consider this HTML:

<a href="{{str}}">

and consider an input like:

" onmouseover="alert('GOTCHA')"

You get the picture.

If your javascript is being injected within a tag then you don't need the angle brackets. I borrowed this off this similar S/O post: http://stackoverflow.com/questions/5696244/xss-is-escaping-and-sufficient https://stackoverflow.com/questions/5696244/xss-is-escaping-and-sufficient

If you are interested in filter evasion like this consult:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

This has all the common stuff.

As far as safety is concerned: Encode all the things! You never know how clever the attacker is.

Oh yes it is!

Consider this HTML:

<a href="{{str}}">

and consider an input like:

" onmouseover="alert('GOTCHA')"

You get the picture.

If your javascript is being injected within a tag then you don't need the angle brackets. I borrowed this off this similar S/O post: http://stackoverflow.com/questions/5696244/xss-is-escaping-and-sufficient

If you are interested in filter evasion like this consult:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

This has all the common stuff.

As far as safety is concerned: Encode all the things! You never know how clever the attacker is.

Oh yes it is!

Consider this HTML:

<a href="{{str}}">

and consider an input like:

" onmouseover="alert('GOTCHA')"

You get the picture.

If your javascript is being injected within a tag then you don't need the angle brackets. I borrowed this off this similar S/O post: https://stackoverflow.com/questions/5696244/xss-is-escaping-and-sufficient

If you are interested in filter evasion like this consult:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

This has all the common stuff.

As far as safety is concerned: Encode all the things! You never know how clever the attacker is.

Source Link

answered Feb 17, 2015 at 5:17

MrSynAckSter

2k
11
16

Oh yes it is!

Consider this HTML:

<a href="{{str}}">

and consider an input like:

" onmouseover="alert('GOTCHA')"

You get the picture.

If your javascript is being injected within a tag then you don't need the angle brackets. I borrowed this off this similar S/O post: http://stackoverflow.com/questions/5696244/xss-is-escaping-and-sufficient

If you are interested in filter evasion like this consult:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

This has all the common stuff.

As far as safety is concerned: Encode all the things! You never know how clever the attacker is.

Stack Exchange Network

Return to Answer