source-git / python-lxml

Clone
Source Code
GIT

Files

  1.   b74dd5f56bf76def5aa8ea34e7d986ca0d582af2
  2.   src
  3.   lxml
  4.   html
  5.   tests
  6.   hackers-org-data
  7.   background-image-with-unicoded.data
Blob Blame History Raw 
Description: exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz as a vulnerability in Hotmail.
    http://ha.ckers.org/xss.html#XSS_DIV_background_image_unicode
Options: -safe_attrs_only
Ignore: true
Notes: I don't understand how this exploit works.  It seems like the description actually refers to
       the unicode you'd import, but why that matters I don't know.

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">text</div>
----------
<div style="background-image: ">text</div>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation