Published 16 years 5 months ago • Last updated April 1, 2025 • ⏱️ 2 min read
This is an important post for me, not because it's ground breaking but people don't seem to get this when using data in certain context. If you are a dev please read this and read it until you understand it because if you misidentify context you fail and you fail pretty badly.
I reported this to twitter about two months ago, they responded and fixed four xss holes but two remain and they didn't contact me to test the fix.
When you are including user input inside a javascript event within a string what do you have to escape? If you answered: '"<>\
You are wrong. Twitter is wrong.
Take the following example:-
<a href=# onclick="x= 'USERINPUT' ">test</a>
So you can place your input within the single quotes and there is a place on twitter that does this:- twitterTheseResults(' &quot;'xss','/search?q=&a...
Here they are escaping " with &quot; and ' with '. But that isn't enough! Why? Because it's a javascript onclick event! Inside an event you have to escape entities! All of them!
Consider the following vector:-
',alert(1),'
No single quotes but ' still acts as one. Please look at this test and make sure you understand how it works:- http://tinyurl.com/xssyoda
Don't forget other entities work too ' ' ' ' so make sure you escape all characters within a js event like so:-
<a href="#" onclick="x='USERINPUT\x27\x22\x3c\x3e'">test</a>
and Twitter PLEASE fix this and related holes c'mon it's been two months, it's not rocket science to fix.
' works on non-IE browsers but the other entities mentioned work fine on IE too.