Open adon-at-work opened 9 years ago
it is an interesting pattern that in theory can bypass any blacklist / whitelist filters. however, if we consider the attribute value context as the whole and trigger the URI parser to parse the string, then we can detect this issue.
documented here is another possibility: {{url1}}{{url2}}
, where {{url1}}
is java
and {{url2}}
is script:alert(1)
For example: java{{url}}