鬼仔's Blog

鬼仔：这几天一直在玩游戏，更新不及时。抱歉。

来源：Ph4nt0m Google Group

http://www.thespanner.co.uk/2007/10/09/injecting-the-script-tag-into-xml/

Firefox is now the browser I like hacking, there’s just so much stuff it
can do. I simply don’t have enough time to explore everything, but what I
have found was some very interesting XML behavior. I was helping Ronald
<http://www.0x000000.com/> a while back with a Firefox chrome security flaw
and we discussed on slackers <http://sla.ckers.org/forum/read.php?13,14680>
that some XML entities in Firefox contain sensitive information which it is
possible to read using XHR.
I thought of what other interesting things I could do with XML entities and
I found a way of injecting script tags using them. This could have
implications if you offer a HTML upload service but you filter out dangerous
tags for example. The proof of concept is very basic but displays the method
clearly.
XML <http://www.businessinfo.co.uk/labs/xml_injection/inject.xml> injection

代码如下(FF里测试成功)：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html [
<!ENTITY inject "<script>alert(1)</script>">
]>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Test</title>
</head>

<body>
&inject;
</body>
</html>