C with xss = C

[eluser]CrustyDOD[/eluser]
Just saw this. When you use XSS on input field and you have let's say this: SecretCPasword

When you submit that, it will result in: SecretCPasword

Which is wrong.

Anyway to fix this behaviour and still be able to use XSS?

[eluser]Dam1an[/eluser]
You either had something stripped out (a 's' perhaps) or there's no differance?

[eluser]CrustyDOD[/eluser]
Oh lol, see it works the same here!

Secret%.4.3Pasword <--- REMOVE dots (.)

Result is SecretCPasword which is wrong!

[eluser]SardiorDragon[/eluser]
A simple fix (and one you are probably not looking for) is to just not allow %'s in passwords.

[eluser]CrustyDOD[/eluser]
Yes, and what about for example message field and stuff like that? Even this field that i'm typing into it, same thing. Should i ban % from ALL the fields? Bad bad fix.

[eluser]SardiorDragon[/eluser]
I was only thinking you cared about passwords. So yes that fix would fail for all other fields. I don't have a fix for the other fields at this time.

[eluser]Thorpe Obazee[/eluser]
[quote author="CrustyDOD" date="1245963923"]Just saw this. When you use XSS on input field and you have let's say this: SecretCPasword

When you submit that, it will result in: SecretCPasword

Which is wrong.

Anyway to fix this behaviour and still be able to use XSS?[/quote]

Am I missing something? "SecretCPasword" is looks very very very similar to "SecretCPasword".

[eluser]SardiorDragon[/eluser]
[quote author="bargainph" date="1245995803"]
Am I missing something? "SecretCPasword" is looks very very very similar to "SecretCPasword".[/quote]

Look at:

[quote author="CrustyDOD" date="1245974321"]Oh lol, see it works the same here!

Secret%.4.3Pasword <--- REMOVE dots (.)

Result is SecretCPasword which is wrong![/quote]

See the %.4.3 (remove the dots and you get C when the xss is run on it).