The reason is, the data after the hash was not escaped.
Perhaps a fuzzer would have caught that. But a good tool would make it hard to make such mistakes by default. A desktop app would not have suffered from such errors, by construction. The web is not a good tool.
>A desktop app would not have suffered from such errors, by construction. The web is not a good tool.
While you are correct it would not of suffered from this particular vulnerability, a improperly utilized malloc for example could have similar if not more disastrous effects and would be exploitable under the same threat model. Yet I wouldn't call it a bad tool, just a tool used by an inexperienced carpenter.
One is the exploit I describe above: data taken from the block chain was not escaped properly.
Another is a more "traditional" XSS. It was possible to format a URL such that it contained script tags that were injected into the page.
https://github.com/etherdelta/etherdelta.github.io/issues/14...
The reason is, the data after the hash was not escaped.
Perhaps a fuzzer would have caught that. But a good tool would make it hard to make such mistakes by default. A desktop app would not have suffered from such errors, by construction. The web is not a good tool.