Bypassing HTML Entities

1100 · February 8th, 2010, 14:25

Is it possible? For example, whenever I input the character ">" out comes > in it's place. Any way to exploit this?

Scrapheap · February 9th, 2010, 04:00

The usual way to exploit <>'s is when the system doesn't replace them with < and > as you can then insert your own html tags and script tags.

1100 · February 9th, 2010, 06:16

Well yeah but I was wondering if that was possible to bypass ( the translation of < to < and > to > )

Also, I was once part of a forum that made HTML comments for every thread name and post body. It was ridiculous. All you had to do was type "-->" and then inject any HTML code you wanted, and of course CSS and Javascript if you wanted. Haha just thought I'd share that.

Example:
thread name was "--> <style type="text/css"> blah blah 

 <style type="text/css"> blah blah

Scrapheap · February 9th, 2010, 06:44

You try using url encoding of a unicode value which can sometimes get through to the browser.

1100 · February 9th, 2010, 06:58

Hmm. I'm assuming that doesn't really work much nowadays, though. Right? Thanks for the suggestion!

Scrapheap · February 9th, 2010, 07:08

It doesn't work so much these days, but it's always worth trying just to be sure.

1100 · February 9th, 2010, 07:13

Thanks again, buddy!