|
|
|
|
|
|
by xss-game-bot
4403 days ago
|
|
|
Hey, thanks - it's a valid concern, though an important point (which isn't really well explained in the document) is that this payload will work even if the tag isn't properly terminated. One of the reasons for using such broken payloads is to demonstrate that browsers will happily parse broken markup and that approaches such as removing "<.*>" won't be effective as a technique to prevent XSS (because such a regexp won't match an unterminated tag like the example you pointed out). Still, it could at least use a better explanation. The documentation fairy will take a look! |
|
|