Random seed may result in valid attribute

Question

Random seed may result in valid attribute

gbrindisi opened this issue 13 years ago · 2 comments

gbrindisi commented 13 years ago

The randoms generated seed for the taint may result as a valid html attribute like href, src, etc.

https://github.com/gbrindisi/xsssniper/blob/master/core/payload.py#L14

Must blacklist common attributes names.

Answer 1 · 2015-06-03T17:19:11.000Z

Wouldn't it be better just to use long enough randoms so that it won't overlap with anything existing?

Answer 2 · 2015-06-04T09:22:48.000Z

Yes but since I've left the chance to set the seed length to the user, this problem could still occur.
If you have better ideas I'd like to hear them!