Y
Hacker News
new
|
ask
|
show
|
jobs
by
jscissr
2957 days ago
I think escaping quotes only matters for attributes (which can use ' or "). Example:
<img src="$url">
Exploit:
foo.jpg" onload="alert('pwned')
1 comments
kuroguro
2957 days ago
Heh, found the exact bug on a live bbcode parser some 5 years ago.
link
codedokode
2956 days ago
It was probably written using regexps? One should make full syntax analysis instead of writing regexp hacks.
link