XSS Injection Vulnerability– Chrome, Firefox, IE, Safari

A friend of mine, Tristan Burch, encountered this issue today. It is present in all browsers and has been closed as invalid in firefox.

The browser’s HTML parser doesn’t know anything about JavaScript, so it interprets the closing script tag within the string. The above snippet results in an XSS vulnerability.

The lesson here, is that it is dangerous if you place user submitted values directly into a JavaScript string. Developers should take care to always escape “<” and “>” and “&” when generating pages on the server side.

The correct html should be:

After all the advancements there have been in browsers its surprising to still run into these kinds of things.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">