This repository was archived by the owner on Nov 15, 2017. It is now read-only.
Address potential cross-scripting attempts #47
Labels
Comments
|
A naive/ simple approach to this should be simply storing the request and matching all scripting to the original requests. Right? |
|
This is what Chromium itself does. For an extension, I don't see how this is possible, as extensions can't block inline scripting (issue #35). I suppose the best option is to have webkit fix the code so this bypass doesn't work. I am trying to find out if there is a bug opened for this one particular case. |
|
Chromium is best position to do this, and they already have XSSAuditor, they should fix whatever holes it has at that level. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
As in http://labs.lachisterablanca.com/poc/bypass/index.php?%3Cscript%3Ealert(%27XSS%20WITH%20WHITESPACES%27);%3C/script%3E=anyValue
The text was updated successfully, but these errors were encountered: