[Commotion-admin] [commotion-apps] Stored XSS in local application URL (High) (#12)
Griffin Boyce
notifications at github.com
Mon Sep 9 19:03:05 UTC 2013
Well, someone could theoretically include injectible data via `data:`, so something like `data:text/html base64,b21naGF4` becomes the world's weakest payload. Restricting things so that the first few characters must be http doesn't always work as older browsers may still convert `https://;javascript:alert('omghax')` into a working exploit.
---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/commotion-apps/issues/12#issuecomment-24105549
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20130909/3e1ce3fa/attachment.html>
More information about the Commotion-admin
mailing list