Originally found by Begeek, I cleaned up this vector considerably and made it work in all browsers. Despite what the article says it is not a Firefox exploit, but rather a way that all rendering engines handle malformed ecapsulation within HTML tags. Pretty tricky though and makes it pretty hard for filters that use homebuilt rendering engines.

This entry was posted on Thursday, January 1st, 1970 at 12:00 am and is filed under XSS, Webappsec. You can leave a response as well.