Relative urls on your website are suddenly using the wrong domain.
Cause:
It’s XSS (sort of).
<base> element will change the target of all relative urls on the page.
<base> is supposed to be in <head>, but Chrome (and possibly other browsers) will respect it when in <body>.
Solution:
Add <base> to the blacklisted elements on all of your user inputs.
Check existing user content.
Use absolute urls.
No comments:
Post a Comment