tag:blogger.com,1999:blog-34454975.post1837751273855615477..comments2023-06-28T16:58:41.189+02:00Comments on Web Reflection: Simulate Script Injection Via Data URIAndrea Giammarchihttp://www.blogger.com/profile/16277820774810688474noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-34454975.post-43417952444912727222011-08-24T21:40:57.099+02:002011-08-24T21:40:57.099+02:00P.S. btw ... that was kinda *not* the point about ...P.S. btw ... that was kinda *not* the point about the whole post but thanks for pointing it outAndrea Giammarchihttps://www.blogger.com/profile/16277820774810688474noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-60351466699306667362011-08-24T21:39:54.069+02:002011-08-24T21:39:54.069+02:00it may have unexpected behavior with non ascii cha...it may have unexpected behavior with non ascii char due attribute restrictions.<br /><br />Indeed even btoa is not enough, <a href="http://devpro.it/code/214.html" rel="nofollow">base64.encode(whateverItIs)</a> is much betterAndrea Giammarchihttps://www.blogger.com/profile/16277820774810688474noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-48132595209334005742011-08-24T21:19:07.279+02:002011-08-24T21:19:07.279+02:00What about not encoding into base64 the script src...What about not encoding into base64 the script src ?<br /><br />e.g.:<br /><br />script.src = "data:text/javascript;,alert('Hello World')";check_canoreply@blogger.com