Re: CSS before redirect

[Marc Slemko <marcs () znep com>]

On Mon, 8 Sep 2003, Jeremiah Grossman wrote:

> In the course of hunting down cross-site scripting, one is bound to
> find what I have loosely referred to as "unusable" XSS (bad name).
>
> As most are familiar, XSS is very browser dependent.
>
> Specifically in this case, your browser is likely not interpreting the
> HTML on a 302
> response code.  Why would it need to anyway. So, as much as this IS an
> XSS issue,
> it poses no risk to the browser you are using. Perhaps another browser
> would be.
> The standard fix could be suggested just the same however, just in case.

Yes, the browser generally won't intepret it ...unless you can control the
entire target of the redirect, in which case you may be able to get the
browser to stop trying to follow the redirect and just display the content
of the page by either having the redirect point to the same URL that is
issuing it, or have a loop of redirects that end up back at the same URL
at the same time the browser runs into its maximum-number-of-redirects
limit.

Yes, definitely browser specific.