search

kissyteam / kissy

A Powerful Collection Of Modules
http://docs.kissyui.com
2.7k stars 863 forks source link

hashchange XSS #132

Closed keyapril closed 12 years ago

keyapril commented 12 years ago

KISSY Version :

all version

Browsers :

ie6/7/8

What steps will reproduce the problem?

1.保存下面文件

<!DOCTYPE HTML>
<html lang="en-US">
<head>
    <meta charset="UTF-8">
    <script src="http://a.tbcdn.cn/s/kissy/1.2.0/kissy-min.js"></script>
    <title></title>
    <script type="text/javascript">
    KISSY.ready(function  (S) {
        S.one(window).on('hashchange',function(){
            alert(2);
        })
    })
    </script>
</head>
<body>
    <a href="#!/deliver/order/order-relatedplan/orderName=<script>alert('ok');</script>&orderId=102973">xx</a>
</body>
</html>

2.点击xx

What is the expected result?

hash script not execute

What happens instead?

hash script execute alert ok

yiminghe commented 12 years ago

注意:把用户的内容放到页面时都要 S.escapeHTML !