today I wanna present a great work on XSS CSS injection. Following the amazing work of Martin, style="xx:expression((window.r!=1)? ...... , Gareth wrote a more complete example of injection scenario. Here it is !
That Translated from hexadecimal becames:
It's still incredible seeing execution of code even if converted into whole entities as htmlspecialchars. Yep, incredible but true ! Some one is just saying you should never allow users to insert HTML code in your pages but I don't think so, it's difficult to give something and than take it back, it's difficult saying STOP HTML to users now, where users are living on HTML. Maybe security staff must learn from this "another example" and works hard to prevent others similar stuff.