XSS exploit when JavaScript is disabled

Posted by snaken on Stack Overflow See other posts from Stack Overflow or by snaken
Published on 2010-06-04T11:13:59Z Indexed on 2010/06/05 10:42 UTC
Read the original article Hit count: 279

Filed under:
|
|

I'm getting pretty frustrated trying to make McAffee whitelist a supposed exploit on a site i work on. The issue is that their automated system has detected a supposed XSS exploit but the exploit only exists when JavaScript is disabled. Given the fact that you need JavaScript to be disabled for the exploit to exist then surely this means this is not an exploit. Can anyone think of any possible arguments to the contrary?

Update - To add more detail:

The problem comes from in one place unsanitized URL content is written to an anchor tag href.So, with JS disabled you could have something like this:

<a href="foor.php?"><script>alert('foo')</script>#someanchor" ..

When JavaScript is enabled this href is updated to be this (on dom ready):

<a href="javascript:;">link</a>

So, with JS enabled the link is no longer injected, with JS disabled the alert would no longer execute.

© Stack Overflow or respective owner

Related posts about JavaScript

Related posts about xss