On Mon, 2011-04-18 at 22:43 +0530, Shreyas Agasthya wrote:
> Is someone up to Cross Site Scripting? ;)
>
> --Shreyas
>
> On Mon, Apr 18, 2011 at 10:39 PM, Joshua Kehn <josh.kehn@xxxxxxxxx> wrote:
>
> > On Monday, April 18, 2011 at 1:06 PM, tedd wrote:
> > Hi gang:
> > >
> > > Quite some time ago I had a demo that showed Javascript injection. It
> > > was where a user could type in:
> > >
> > > <script> alert("Evil Code");</script>
> > >
> > > and a JavaScript alert would be shown.
> > >
> > > But now my demo no longer works. So, what happened? Was there a php
> > > update that prohibited that sort of behavior or did hosts start
> > > setting something to OFF, or what?
> > >
> > > If you know, please explain.
> > >
> > > Thanks,
> > >
> > > tedd
> > > --
> > > -------
> > > http://sperling.com/
> > Not that I know of. Are you talking about on-page injection, like comments
> > and such? Normally JS injection would be that (bad scripts inserted by the
> > user on a comment form or review page) or where you are using eval() and
> > they dump bad code into there.
> >
> > Regards,
> >
> > -Josh___________________________________________
> > Joshua Kehn | Josh.Kehn@xxxxxxxxx
> > http://joshuakehn.com
> >
> >
> >
>
>
I believe the reason for it not working now is because most browsers
won't pop up an alert without being triggered by something, i.e. a mouse
event, page load, etc. You might be able to change the code to do
something else like output to the firebug console, use document.write,
or change the status bar text (although for that to work you'll need to
change browser settings in most modern browsers like Opera, Fx, Chrome,
etc)
--
Thanks,
Ash
http://www.ashleysheridan.co.uk
