Comments on: HTML5 new XSS vectors http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/ Javascript blog with messed up syntax inside Thu, 26 Jan 2012 01:38:34 +0000 hourly 1 By: Gareth Heyes http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/#comment-1755 Gareth Heyes Fri, 14 May 2010 08:41:00 +0000 http://www.thespanner.co.uk/?p=573#comment-1755 @Patrick Well that's how XSS works, devs forget to filter the quote or others and you can inject your own scripts. BTW spaces aren't required either for example:- <input value=""onfocus="alert(1)"autofocus/"> @Patrick

Well that’s how XSS works, devs forget to filter the quote or others and you can inject your own scripts. BTW spaces aren’t required either for example:-
<input value=”"onfocus=”alert(1)”autofocus/”>

]]> By: Patrick H. Lauke http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/#comment-1754 Patrick H. Lauke Fri, 14 May 2010 08:01:48 +0000 http://www.thespanner.co.uk/?p=573#comment-1754 I admit that I don't quite get what he's driving at. In most cases, if the user input can contain any characters like spaces, you'd have your server-side script do <input type=text value="[USER INPUT]"> as otherwise only the first word before the first space gets taken as a value? Then you'd strip out any double-quotes as well as part of your sanitisation. So in his examples you'd end up with <input type=text value="autofocus onfocus=alert(1)"> which I don't think executes? I admit that I don’t quite get what he’s driving at. In most cases, if the user input can contain any characters like spaces, you’d have your server-side script do

<input type=text value=”[USER INPUT]“>

as otherwise only the first word before the first space gets taken as a value? Then you’d strip out any double-quotes as well as part of your sanitisation. So in his examples you’d end up with

<input type=text value=”autofocus onfocus=alert(1)”>

which I don’t think executes?

]]> By: dalrong http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/#comment-1753 dalrong Fri, 14 May 2010 06:23:44 +0000 http://www.thespanner.co.uk/?p=573#comment-1753 thank you~ thank you~

]]> By: HtD http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/#comment-1669 HtD Sat, 19 Dec 2009 17:39:09 +0000 http://www.thespanner.co.uk/?p=573#comment-1669 Great Work ! Its Featured, http://hackerthedude.blogspot.com/2009/12/new-html-5-xss-vectors-by-gareth-heyes.html Regards, Great Work !

Its Featured,
http://hackerthedude.blogspot.com/2009/12/new-html-5-xss-vectors-by-gareth-heyes.html

Regards,

]]> By: Radoslav Stankov http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/#comment-1659 Radoslav Stankov Thu, 10 Dec 2009 21:50:58 +0000 http://www.thespanner.co.uk/?p=573#comment-1659 Really interesting and scary ... :) Really interesting and scary … :)

]]>