Injecting the script tag into XML

Firefox is now the browser I like hacking, there’s just so much stuff it can do. I simply don’t have enough time to explore everything, but what I have found was some very interesting XML behavior. I was helping Ronald a while back with a Firefox chrome security flaw and we discussed on slackers that some XML entities in Firefox contain sensitive information which it is possible to read using XHR.

I thought of what other interesting things I could do with XML entities and I found a way of injecting script tags using them. This could have implications if you offer a HTML upload service but you filter out dangerous tags for example. The proof of concept is very basic but displays the method clearly.

XML injection

8 Responses to “Injecting the script tag into XML”

  1. buherator writes:

    It works on Opera 9.23 Linux too πŸ˜‰

  2. Gareth Heyes writes:

    Hehe cool, I’ve not tried it in other browsers

  3. thornmaker writes:

    /me likes it. very clever

  4. Jordan writes:

    In case you’re curious, Safari 2.0.4 doesn’t like the inject entity:

    This page contains the following errors:

    error on line 11 at column 46: Entity ‘inject’ not defined

    iPhone version shows the alert(1) text itself, but not in a script element.

  5. Gareth Heyes writes:


    Thanks for the info useful πŸ™‚


    Cheers πŸ™‚

  6. kourge writes:

    This works with WebKit 25438.

  7. Oniric writes:


  8. raaka! writes:

    Gareth Heyes


    i developed months ago,exploited google toolbar using this technique. i deserve some credit πŸ˜€

    if you are intrested about POC. let me know