XSS attack to bypass htmlspecialchars() function in value attribute

Posted by Setzer on Stack Overflow See other posts from Stack Overflow or by Setzer
Published on 2010-05-24T02:35:57Z Indexed on 2010/05/24 2:40 UTC
Read the original article Hit count: 817

Let's say we have this form, and the possible part for a user to inject malicious code is this below

... <input type=text name=username value=<?php echo htmlspecialchars($_POST['username']); ?>> ...

We can't simply put a tag, or a javascript:alert(); call, because value will be interpreted as a string, and htmlspecialchars filters out the <,>,',", so We can't close off the value with quotations.

We can use String.fromCode(.....) to get around the quotes, but I still unable to get a simple alert box to pop up.

Any ideas?

© Stack Overflow or respective owner

Related posts about xss

Related posts about web-security