XSS - Prevention works on IE but doesn’t work on Chrome

Question

XSS - Prevention works on IE but doesn’t work on Chrome

Asked 9 years, 5 months ago

Viewed 67 times

3

When preventing an XSS attack (Alert(123;)) using Html.Encode the on-screen code is as follows:

<select class="combobox" id="xssSelect" name="cmbXss">
<option selected="selected" value="1">&lt;script&gt;alert(123;)&lt;/script&gt;</option>
<option value="2">Opcao2</option>
<option value="3">Opcao3</option>
</select>

If you run on IE this combo works perfectly, but in Chrome it crashes and I can’t change the options. Give to do this test by own stackoverflow running code snippet between IE and Chrome.

Note: I am using Chrome in version 43.0.2357.81 m

Note 2: Stackoverflow itself is preventing XSS attack when I enter the value... then follow the value I am preventing in my image code inserir a descrição da imagem aqui

You can always use &frasl; in time of /... http://jsfiddle.net/zdr06mkf/

– Sergio

2015/06/08 at 22:01
It is intended to use alert(123;) instead of alert(123);? If so, why?

– Victor Stafusa

2015/06/08 at 22:27
@Victorstafusa that doesn’t matter, the behavior is the same. The value is like this because it was an intentional test of XSS in my project.

– Arthur Menezes

2015/06/09 at 12:23

1 answer

Browser other questions tagged html google-chrome xss

You are not signed in. Login or sign up in order to post.

by Arthur Menezes • **2,210** points · Answer 1 · 2015-06-08T21:56:42+00:00

Current version of Chrome bug.

When executing the same code in version 42 the error does not occur.

I already reported the problem to Google. If anyone wants to follow, follow the link: https://productforums.google.com/forum/#! topic/Chrome-pt/Vkj0uhsbufq;context-place=forum/Chrome-pt