On principle XSS- resolve character encoding and browser
https://security.yirendai.com/news/share/26
https://www.cnblogs.com/iceli/p/8598709.html
To understand the payload parsing process, in order to construct available
example
1 |
<a onclick="window.open('value1')" href="javascript:window.open('value2')"></a> |
// href attribute will first have to decode url
browser decoding order:
Value1:HTML解码 -> JavaScript解码 -> URL解码
Value2:HTML解码 -> URL解码 -> JavaScript解码 -> URL解码
Original: Large column understood browser resolution mechanism and XSS vector coding