I’m always amazed at people who think that blocking alert() is actually an effective way to block cross site scripting. I’ve seen it myself, and it’s one of those things that never sounded right even the first time I saw it years ago. It sounds even less right, and here’s an email from a friend of mine, Jon McClintock:
I just got a nice XSS “win” that I thought I’d share with you. The app had an odd filter that would block JS calls to the alert() method.
So this (invalid JS) input got in:
But this didn’t:
The usual whitespace and comment tricks didn’t work either, and other useful methods, such as eval, were also blocked. So what do you do? Function pointer, of course:
That’s a great example - pointing to functions, but what about things like confirm(), or prompt()? Sure, maybe all those are blocked too, but come on…. it’s time to start addressing the problem, rather than trying to block one of the hundreds of ways someone can initiate the attack. Anyway, great example!