Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Hmm. I can't say for absolute sure, but if the root document is HTML and there are no <script> tags (or <iframe>s, I guess), I don't see how you'd get JavaScript to execute. I think those are strictly the only entry-points JS can have, and it's not like HTML or CSS could mutate the document to create one after the fact.

EDIT: I brainfarted and totally forgot about inline event handlers. Go easy on the downvotes please.



  <div onclick="alert(0)">whoops</div>
If you want to dive down the rabbit hole, here's a good place to start: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_She...


Ah right, duh. Still, I feel like there would be an enumerable set of properties that can execute JS.


There is an enumerable set of HTML and CSS properties, so yeah.

That document is scary! There are 70 different ways to encode an opening angle bracket, what is just a tiny side note...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: