Comments on: HTML5 XSS http://www.thespanner.co.uk/2009/03/20/html5-xss/ A tool for designers dealing with programmers dealing with designers... Wed, 08 Sep 2010 00:47:50 +0000 http://wordpress.org/?v=2.6.2 By: eric su http://www.thespanner.co.uk/2009/03/20/html5-xss/#comment-1546 eric su Wed, 29 Apr 2009 02:47:44 +0000 http://www.thespanner.co.uk/?p=372#comment-1546 @cosine thanks for the Chinese version lol @cosine
thanks for the Chinese version lol

]]> By: Anne van Kesteren http://www.thespanner.co.uk/2009/03/20/html5-xss/#comment-1507 Anne van Kesteren Fri, 27 Mar 2009 12:03:04 +0000 http://www.thespanner.co.uk/?p=372#comment-1507 Both seem to rely on blacklists being used, which are a pretty bad idea for exactly this reason. Both seem to rely on blacklists being used, which are a pretty bad idea for exactly this reason.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/03/20/html5-xss/#comment-1485 Gareth Heyes Mon, 23 Mar 2009 09:34:49 +0000 http://www.thespanner.co.uk/?p=372#comment-1485 @Ian It's a new tag to execute automatically, this could be XSS filters that use a blacklist of HTML tags but even so there are new event handlers pointed out by cosine:- <video src="somevalidvideo" onloadedmetadata="alert(document.cookie);" ondurationchanged="alert(/XSS2/);" ontimeupdate="alert(/XSS1/);"></video> @Ian

It’s a new tag to execute automatically, this could be XSS filters that use a blacklist of HTML tags but even so there are new event handlers pointed out by cosine:-

<video src=”somevalidvideo” onloadedmetadata=”alert(document.cookie);” ondurationchanged=”alert(/XSS2/);” ontimeupdate=”alert(/XSS1/);”></video>

]]> By: Ian Hickson http://www.thespanner.co.uk/2009/03/20/html5-xss/#comment-1484 Ian Hickson Mon, 23 Mar 2009 03:12:54 +0000 http://www.thespanner.co.uk/?p=372#comment-1484 Isn't that the same as: <img src=1 onerror=alert(1)> ...? Isn’t that the same as:

<img src=1 onerror=alert(1)>

…?

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/03/20/html5-xss/#comment-1483 Gareth Heyes Sat, 21 Mar 2009 15:26:02 +0000 http://www.thespanner.co.uk/?p=372#comment-1483 @cosine cool thanks! @cosine

cool thanks!

]]> By: cosine http://www.thespanner.co.uk/2009/03/20/html5-xss/#comment-1482 cosine Sat, 21 Mar 2009 14:14:24 +0000 http://www.thespanner.co.uk/?p=372#comment-1482 it is nice. and, you can have a look,here:) http://hi.baidu.com/aullik5/blog/item/0a4af8f3431ab21bb07ec57a.html it is nice.
and, you can have a look,here:)
http://hi.baidu.com/aullik5/blog/item/0a4af8f3431ab21bb07ec57a.html

]]>