<3 that. Mitigations get a free pass, regardless of design quality & efficacy.
-
-
jQuery.html(inj) is a tiny fraction? I find it hard to believe on the open web, ask pentesters. I've seen many myself.
-
You realize that this is fixable, right? If you care about XSS enough to adopt CSP w/ nonces you can use a hardened jQuery
-
... at least if you believe that these kinds of bypasses are a big enough threat for your app - which they sometimes may be
End of conversation
New conversation -
-
-
If you look at where XSS is most common it's still markup generation (server + client w/ innerHTML and similar APIs)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
yeah; I thought you had broken the "script-src https:" policy with iframe srcdoc injection in an innerHTML() call
@kkotowicz -
No, that was an example of injection into innerHTML which is as easy to exploit as usual if you have a whitelist bypass ;)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.