On 5/21/07, 3APA3A <[EMAIL PROTECTED]> wrote: > It's not true, because it's quite convertible character. At least for IIS: > > http://example.com/test.asp?q=%uFF1Cscript>alert("Hello")</script> > > where test.asp is > > <%=Request.QueryString("q")%> > > launches javascript.
This does not work for me for IIS 6 and IE 7. What platform did you test? Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
