XSS exploit when JavaScript is disabled
Posted
by snaken
on Stack Overflow
See other posts from Stack Overflow
or by snaken
Published on 2010-06-04T11:13:59Z
Indexed on
2010/06/05
10:42 UTC
Read the original article
Hit count: 279
I'm getting pretty frustrated trying to make McAffee whitelist a supposed exploit on a site i work on. The issue is that their automated system has detected a supposed XSS exploit but the exploit only exists when JavaScript is disabled. Given the fact that you need JavaScript to be disabled for the exploit to exist then surely this means this is not an exploit. Can anyone think of any possible arguments to the contrary?
Update - To add more detail:
The problem comes from in one place unsanitized URL content is written to an anchor tag href.So, with JS disabled you could have something like this:
<a href="foor.php?"><script>alert('foo')</script>#someanchor" ..
When JavaScript is enabled this href is updated to be this (on dom ready):
<a href="javascript:;">link</a>
So, with JS enabled the link is no longer injected, with JS disabled the alert would no longer execute.
© Stack Overflow or respective owner