... Hmm... it works for me and with far less than 999MB of stack: > java -Xss4m Test 0 (Windows JDK 7, build 17.0-b05 client VM, and Linux JDK 6 - same version information as you posted) share | ...

...< or > to do anything dangerous. Our attack vector could just be javascript:alert(document.cookie) Now resultant HTML looks like <img src= "javascript:alert(document.cookie)" /> The attack gets straight through. It gets worse. Why? because htmlspecialchars (when called this way) on...

I’m using JavaScript to pull a value out from a hidden field and display it in a textbox. The value in the hidden field is encoded. ...

...shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.html executes the following statement: document.domain = "company.com"; After that statement executes, the page would pass the origin check with http://company.c...

...milar to the one below. Browsers and screen readers ignore unrecognized script types: <script id="hidden-template" type="text/x-custom-template"> <tr> <td>Foo</td> <td>Bar</td> <tr> </script> Using jQuery, adding rows base...

...4174493/445908 Otherwise , check this answer: params.merge and cross site scripting share | improve this answer | follow | ...

I have an MVC3 app that has a details page. As part of that I have a description (retrieved from a db) that has spaces and new lines. When it is rendered the new lines and spaces are ignored by the html. I would like to encode those spaces and new lines so that they aren't ignored. ...

... Experiment setup: Ubuntu 12.04 server with default java and default-jdk. Xss starting at 70,000 at 1 byte increments to 460,000. The results are available at: https://www.google.com/fusiontables/DataSource?docid=1xkJhd4s8biLghe6gZbcfUs3vT5MpS_OnscjWDbM I've created another version where every rep...

... to content that has special parsing rules or meaning, such as inside of a script or style tag, or as an element or attribute name. For example: <NOT-HERE>...</NOT-HERE>, <script>NOT-HERE</script>, <style>NOT-HERE</style>, or <p NOT-HERE="...">...</p>....

... problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area. proc_nice proc_terminate proc_close pfsockopen fsockopen apache_child_...