Hi,
Is it possible to launch a XSS attack on modern browsers, when the server encodes special ASCII characters like ‘"’ or ‘<’ or ‘>’, but not valid multibyte UTF-8 characters, without using server-side normalization issues?The user controlled value is passed into a javascript inside a html script tag as a string constant, so it is between two double quotes.
Any ideas?
<script>
a="hell"-alert(0)-"o";
</script>
My answer would be no, but it may vary depends upon the situation. in general case JS is looking for end of " to end, and anything in between that considered as sting, however you may like the above payload. when ; is blocked but " is not.
Ok, thank you for answering.