Inline JS with html-entities context

LibProtection / libprotection-dotnet

.NET implementation of LibProtection library

MIT License

33 stars 5 forks source link

Open tank1st99 opened 6 years ago

tank1st99 commented 6 years ago

The library incorrectly resolves contexts with HTML-entities inside the inlined JS-code.

False Positive: Format String: <a href="#" onclick="alert("{0}");">test</a> Payload: False Positive

XSS 1: Format String: <a href='#' onclick='alert(""{0}"");'>XSS</a> Payload: +alert(2)+

XSS 2: Format String: <a href="#" onclick='alert("Tom&{0}");'>XSS?</a> Payload: quot;);alert(2);//

kochetkov commented 6 years ago

The bug is confirmed. Please contact me at vkochetkov@ptsecurity.com to get information on receiving prizes.