Combining Unicode and Hex decimal

Monday, 24 September 2007

I thought this was cool whilst experimenting, I found I could use hex decimal (ooops that’s what I get for posting on Monday morning) entities within a url to combine unicode strings to produce anything. The result is a truly obscure looking javascript, I’ve included a plain text alert to help understand what’s going on, the code basically translates to javascript:x=’eval’ notice how it is possible to assign strings even though entities are used.

Test

The entry 'Combining Unicode and Hex decimal' was posted on September 24th, 2007 at 12:24 pm and last modified on September 24th, 2007 at 3:38 pm, and is filed under javascript, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “Combining Unicode and Hex decimal”

  1. phucdull writes:
    No. 1 — December 31st, 2008 at 6:32 am

    You suck!

  2. Gareth Heyes writes:
    No. 2 — December 31st, 2008 at 9:09 am

    Thanks you suck too!

«
»