You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Dec 21, 2022. It is now read-only.
I use securityswitch in my mvc project,and the secure url with xss will be
excute,but no the un-unsecure,for example:
the config:
<add path="~/controler/action1" security="Insecure" />
<add path="~/controler/action2/" security="Secure" matchType="StartsWith" />
and i visit the website with the follow:
http://localhost:8086/controler/action1/'==alert%28389%29=='
http://localhost:8086/controler/action2/'=alert%28389%29=='
the second url will execute the js in the browser;but the first one will not;
but if i change the second url as follow:
https://localhost:8083/controler/action2/'=alert%28389%29==', the js also will
not be execute.
so I doubt the process that http switch to https decoding the url correctly?
Original issue reported on code.google.com by moxia...@gmail.com on 12 May 2015 at 2:45