-
Sebastian Tschan authored
Although setting HTML element content via innerHTML ignores script tags, it is possible to run arbitrary script code by using the onerror handler of img tags: result.html?<img src="foo.png" onerror="alert(document.cookie)"/> Setting the body content via textContent/innerText fixes this security hole. Thanks to Diederik van der Boor for the report and proof-of-concept.
Sebastian Tschan authoredAlthough setting HTML element content via innerHTML ignores script tags, it is possible to run arbitrary script code by using the onerror handler of img tags: result.html?<img src="foo.png" onerror="alert(document.cookie)"/> Setting the body content via textContent/innerText fixes this security hole. Thanks to Diederik van der Boor for the report and proof-of-concept.
Loading