javascript - How to prevent xss script execution via url when using/testing with third party tool? -


users/testers in website able execute scripts via url using third party tool

so tool running , enter http://yoursite.com?q=nokia188413544056">alert(document.cookie);16cd1a0b206

then browser executes alert in url not without tool.

i using codeigniter/twig. twig escaping not work in case burpsuit tool running.

however if normal scenario twig outputs following escaped values , script in url not execute. search?query=nokia188413544056%22%3e%3cscript%3ealert(document.cookie);%3c/script%3e16cd1a0b206

i able reproduce same on ie after disabling xss filter using internet option of ie.

however have verified multiple times striping tags , filtering url parameters.

can guide me reason, or valid case.

note: can provide more , more details out put of every step if needed.


Comments

Popular posts from this blog

Android layout hidden on keyboard show -

google app engine - 403 Forbidden POST - Flask WTForms -

c - Why would PK11_GenerateRandom() return an error -8023? -