javascript - How to prevent xss script execution via url when using/testing with third party tool? -
users/testers in website able execute scripts via url using third party tool
so tool running , enter http://yoursite.com?q=nokia
188413544056">alert(document.cookie);16cd1a0b206
then browser executes alert in url not without tool.
i using codeigniter/twig. twig escaping not work in case burpsuit tool running.
however if normal scenario twig outputs following escaped values , script in url not execute. search?query=nokia188413544056%22%3e%3cscript%3ealert(document.cookie);%3c/script%3e16cd1a0b206
i able reproduce same on ie after disabling xss filter using internet option of ie.
however have verified multiple times striping tags , filtering url parameters.
can guide me reason, or valid case.
note: can provide more , more details out put of every step if needed.
Comments
Post a Comment