Page sets frame.src to value of a url parameter, but only it if it doesn't contain :, // or \\. Any ideas for some way around this?
-
-
@peterjaric Or just "javascript:alert(1)" ? -
@avlidienbrunn I think the second one only works if it's generated server side. Lack of Twitter space made me omit that it's client side#js -
@avlidienbrunn I tried setting param=/\/google.com, but \ is just interpreted as part of the path -> 404
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.