Skip to content

Inline JS with html-entities context #35

Open
tank1st99 opened this issue Apr 5, 2018 · 1 comment
Open

Inline JS with html-entities context #35

tank1st99 opened this issue Apr 5, 2018 · 1 comment
Assignees
@kochetkov @Barkhat26
Labels
false positive/negative
Milestone
v1.0

Comments

@tank1st99
Copy link

tank1st99 commented Apr 5, 2018
edited by kochetkov
Loading

The library incorrectly resolves contexts with HTML-entities inside the inlined JS-code.

False Positive:
Format String:
<a href="#" onclick="alert(&quot;{0}&quot;);">test</a>
Payload:
False Positive

XSS 1:
Format String:
<a href='#' onclick='alert(&quot;"{0}"&quot;);'>XSS</a>
Payload:
+alert(2)+

XSS 2:
Format String:
<a href="#" onclick='alert("Tom&{0}");'>XSS?</a>
Payload:
quot;);alert(2);//
@kochetkov
Copy link
Member

The bug is confirmed. Please contact me at [email protected] to get information on receiving prizes.

@Barkhat26 Barkhat26 self-assigned this May 24, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kochetkov kochetkov

@Barkhat26 Barkhat26

Labels
false positive/negative
Projects
None yet
Milestone
v1.0
Development

No branches or pull requests
3 participants
@kochetkov @Barkhat26 @tank1st99