XSS - Prevention works on IE but doesn’t work on Chrome

Asked

Viewed 67 times

3

When preventing an XSS attack (Alert(123;)) using Html.Encode the on-screen code is as follows:

<select class="combobox" id="xssSelect" name="cmbXss">
<option selected="selected" value="1">&lt;script&gt;alert(123;)&lt;/script&gt;</option>
<option value="2">Opcao2</option>
<option value="3">Opcao3</option>
</select> 

If you run on IE this combo works perfectly, but in Chrome it crashes and I can’t change the options. Give to do this test by own stackoverflow running code snippet between IE and Chrome.

Note: I am using Chrome in version 43.0.2357.81 m

Note 2: Stackoverflow itself is preventing XSS attack when I enter the value... then follow the value I am preventing in my image code inserir a descrição da imagem aqui

  • You can always use &frasl; in time of /... http://jsfiddle.net/zdr06mkf/

  • It is intended to use alert(123;) instead of alert(123);? If so, why?

  • @Victorstafusa that doesn’t matter, the behavior is the same. The value is like this because it was an intentional test of XSS in my project.

1 answer

2

Browser other questions tagged

You are not signed in. Login or sign up in order to post.