XSS attacks and style attributes

by

This does not work due to click-jacking vulnerability.

Example:

<a href="http://example.com/attack.html" style="display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;"> </a>

Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164

The code would be perfectly validated but it may cause serious damage.

So – rule of thumb use very strict white list or do not allow style attributes.

More Related Contents:

  1. How do you use window.postMessage across domains?
  2. html() vs innerHTML jquery/javascript & XSS attacks
  3. What makes an input vulnerable to XSS?
  4. how do i submit message to my email by html or js?
  5. JS hide function error
  6. Create a new div element when button is clicked JavaScript [closed]
  7. how to view the answer of a js function in a html input? [duplicate]
  8. How to implement something like this GIF that using mouse drag and select items
  9. How to create button to check uncheckable checkbox
  10. Load and execution sequence of a web page?
  11. Submit two forms with one button
  12. Zoom Canvas to Mouse Cursor
  13. How can I change div content with JavaScript?
  14. How can I capture the right-click event in JavaScript? [duplicate]
  15. How can I set multiple CSS styles in JavaScript?
  16. Unobtrusive JavaScript: at the top or the bottom of the HTML code?
  17. Why my show hide button needs double-click on first time
  18. Why does Jquery only affect the first div element? [duplicate]
  19. How to print only a selected HTML element?
  20. What is the size limit of a Base64 DataURL image?
  21. React: Script tag not working when inserted using dangerouslySetInnerHTML
  22. Is there a flexible way to modify the contents of an editable element?
  23. clearRect not working
  24. How to detect overflow in div element?
  25. Sharing websocket across browser tabs?
  26. Open new window without focus on it [duplicate]
  27. window.getSelection return html [duplicate]
  28. How do I hide the address bar on iPhone?
  29. Hot to get incomplete datetime-local input values
  30. Content of html page changed by jQuery but “View Source” don’t reflect the changes

Leave a Comment