User talk:CSteipp (WMF)/Training/VulnTagging js

Add topic
From mediawiki.org

Answers[edit]

  • This is an example of a DOM-based XSS. A javascript event handler can be added to the link when it is written into the dom by manipulating the class name of the selected ul element on the page. This made easier in part because jQuery's .html(), which uses .innerHTML(), will convert " into a " in the DOM automatically.

For example, adding a page that contains: 

<ul id="vuln-tag-list" class="a" onclick="alert(1);"> <!-- If you view the source, the " after the a and ; are actually &quot; -->
<li>attack!</li>
</ul>

will result in the following html after the javascript runs: 

<ul id="vuln-tag-list" class="a" onclick="alert(1);">
<li>attack!</li>
<a href="Special:EditPageTags/a" onclick="alert(1);">Edit Tags</a></ul>
Retrieved from "https://www.mediawiki.org/w/index.php?title=User_talk:CSteipp_(WMF)/Training/VulnTagging_js&oldid=1115181"