the xml file may contain an xml-stylesheet tag is used to specify an xsl file to the xml file format and output. In the xsl output of the process, you can output any html code, including the<scrip>tag。。。。 That you can bomb alert.
However, the xml formatted script permissions is relatively small, many of the operations are not carried out。。。。 However, I think it does not affect as fishing and the like purposes.
To use this alert, I see, you want to satisfy two conditions
1, so that the browser thinks the output is a xml, and insert some code in this condition everyone to see for yourself
2, to meet the cognate rule under the conditions, producing one that meets the xsl format of the output page. Whether you upload a picture is also good, no filtration is also good.
I think, for this thing of use, it should be Basic to focus on the upload.
Remember before a house Internet company is to allow users to upload a custom xml file for the user space configuration, and then visually a lot of the Forum should also be allowed to upload the xml file
The most harsh nature, is some of the input is not filtered, output directly, and set the conten-type for xml some ajax callback interface.
The following is the bomb alert of the code, The rest of the We want to how to use.
<? xml version="1.0" encoding="iso-8 8 5 9-1"?><? xml-stylesheet type="text/xsl" href="test.jpg"?>< test></test>
<? xml version="1.0" encoding="iso-8 8 5 9-1"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <html><body> <script>alert(/hacked by xsser/);</script> </body></html> </xsl:template> </xsl:stylesheet>
Remember before a house Internet company is to allow users to upload a custom xml file for the user space configuration,and now can't find the upload point.
Then visually many of the Forum should also be allowed to upload the xml file
the xml file specified in the xsl file did not expand the name and the content-type request ff, ie test pass
Prohibit the user to upload the xml file
For the input to output XML operation, the filter of the
Ball a Baidu cloud phone