This repository was archived by the owner on Dec 21, 2022. It is now read-only.
This repository was archived by the owner on Dec 21, 2022. It is now read-only.
url with xss #57
Description
I use securityswitch in my mvc project,and the secure url with xss will be
excute,but no the un-unsecure,for example:
the config:
<add path="~/controler/action1" security="Insecure" />
<add path="~/controler/action2/" security="Secure" matchType="StartsWith" />
and i visit the website with the follow:
http://localhost:8086/controler/action1/'==alert%28389%29=='
http://localhost:8086/controler/action2/'=alert%28389%29=='
the second url will execute the js in the browser;but the first one will not;
but if i change the second url as follow:
https://localhost:8083/controler/action2/'=alert%28389%29==', the js also will
not be execute.
so I doubt the process that http switch to https decoding the url correctly?
Original issue reported on code.google.com by moxia...@gmail.com on 12 May 2015 at 2:45