A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/jquery-archive/jquery-mobile/issues/4787 below:

XSS with location.href behavior of some browsers · Issue #4787 · jquery-archive/jquery-mobile · GitHub

This repository was archived by the owner on Oct 8, 2021. It is now read-only.

This repository was archived by the owner on Oct 8, 2021. It is now read-only.

XSS with location.href behavior of some browsers #4787

Copy link Copy link

Closed

Closed

XSS with location.href behavior of some browsers#4787

Copy link

Assignees

Description masatokinugawa opened on Aug 2, 2012

Issue body actions

This bug differs from Issue #1990. I tested on Safari 5.1.7 for Windows, Safari Mobile(iOS 5.1.1).
The vector is:

http://l0.cm%2F@jquerymobile.com/demos/1.2.0-alpha.1/#//l0.cm/jqm

These browsers percent-decode "user:password@" part of location.href. I think XSS comes from this behavior.
FYI, this behavior is fixed as CVE-2012-3695 in Safari 6. See: http://support.apple.com/kb/HT5400

Metadata Metadata

Assignees

Labels

No labels

No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests Issue actions

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4