Open crptjm59810 opened 6 years ago
DiscuzX use a XML document as response. It will cause script injected. But we only want inject.js
inject into HTML.
A <form>
target to an iframe. And then submit the form. Iframe got the result in xml format. Because it doesn't have document.documentElement.dataset
attribute.
<iframe name="my_iframe" onload="my_iframe_onload()"></iframe>
<form action="submit.php" method="POST" target="my_iframe">
<input type="submit">
</form>
<script>
function my_iframe_onload() {
console.log(document.getElementsByName("my_iframe")[0].contentWindow.document.documentElement.textContent);
}
</script>
<?php
header('Content-Type: text/xml');
?><?xml version="1.0" encoding="UTF-8"?>
<root><![CDATA[Hello]]></root>
Hello
{
const toBlob = HTMLCanvasElement.prototype.toBlob;
const toDataURL = HTMLCanvasElement.prototype.toDataURL;
......
document.documentElement.dataset.htGfd = true;
}Hello
Windows 10 64-bit Chrome 73
Canvas Blocker has a bug on chrome, i tested it also on firefox has this bug. Canvas Blocker will cause website auto jump failure. you can reproduce in this link: http://codersclub.org/discuzx/member.php?mod=register no matter login or register, page does not auto jump. Maybe make a option to keep a same Canvas Fingerprint for a while like 5 minutes would solve it.