Created
March 28, 2012 20:55
-
-
Save alanszlosek/2230435 to your computer and use it in GitHub Desktop.
JavaScript injection example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <body> | |
| <h1>Example Scenario</h1> | |
| <p>Save this locally as an HTML file and try it out. Open it and then look in your Firebug | |
| or developer console. More details here: | |
| http://blog.alanszlosek.com/post/20077489479/tag-stripping-not-sufficient-to-prevent-javascript</p> | |
| <p>What follows is an example of JavaScript injection. The real-world scenario might involve | |
| a simple blog web application involving Title and Body fields. The submitted values can sneak past HTML | |
| tag stripping functions like PHP's strip_tags(). I haven't tested against built-in tag-stripping | |
| function found in other languages.</p> | |
| <!-- Everything between the H2 tags was entered into the Blog Title field --> | |
| <h2>Title with injection <script a="</h2> | |
| <!-- Everything between the DIV tags was entered into the Blog Body field --> | |
| <div> | |
| ">console.log('JavaScript successfully injected!');</script | |
| </div> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment