Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Google+ Github Stackoverflow MLA CORE Institutional Repo ORCID ID   ORCID iD

Email Updates

ASP.NET comes preloaded with some default XSS protection which is actually pretty nifty. However, it turns out that the system can be circumvented by a variety of methods, as illustrated by this test input:

</a style="xx:expr/**/ession(document.appendChild(document.createElement('script')).src='')">

Turns out that IE will still process attributes on closing tags which circumvents the filter for <a whilst also treating /**/ as a null comment but obviously breaking .NET's filter regex. Thanks to Hong @ sla.ckers.