digi7al64 found yet another hole in myspace using non-alpha-non-digit exploit. Again, this time, like last time, MySpace is doing a bad job of stripping out tags. This is the fifth time they’ve been hit by this exact same issue. MySpace should really consider hiring someone who knows how to write while loops. Until then they are vulnerable yet again. The trick is again simple:
<body onload<script=alert('xss');> becomes: <body onload..=alert('xss');> because they strip out the <script tag without recursively iterating over the same string to ensure they haven’t created another vector.
Like Forrest Gump might have once said, “Blacklist stripping is like a box of chocolates - you know what you’re going to get.” You never know what the data is going to end up looking like until you’re done stripping it, which is why you need to recursively go over the text over and over until you have found nothing. This is a hard lesson to learn I guess. Nice job, digi7al64!