from Hacker News

SemicolonScript

by rodh257 on 4/17/12, 3:42 PM with 1 comments

  • by mikegirouard on 4/17/12, 5:00 PM

    This reminds me of a demo I saw Billy Hoffman[1] do a while back at a conference. He demonstrated a way of embedding whitespace in a forum post that is mapped to a malicious JS method injected via XSS. The point was to circumvent HTML sanitation attempts to strip raw JS code.

    This tool could be used for something similar. Just replace the semicolon token[2] with something less obvious (say '\t' for example), and you've got a pretty interesting tool.

    [1]: https://en.wikipedia.org/wiki/Billy_Hoffman [2]: https://github.com/RodH257/SemicolonScript/blob/master/Defau...