Payload:
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
Reference: http://seguretat.wiki.uoc.edu/index.php/XSS_Cheat_Sheet
Can someone please explain why this payload is not working?
Asked
Active
Viewed 30 times
0
Arun Joseph
- 101
- 2
-
no. that answer says this is not quite possible. But this vector is present in OWASP. If it doesn't work, then I will be happy to know "Why it doesn't". Which the answer you suggested hasn't explained – Arun Joseph Jan 17 '21 at 14:08
-
2It does explain that. *The techniques to inject script code via CSS `expression(...)` or `url('javascript:...')` don't work in modern browsers.* Modern browsers simply do not accept `javascript:` urls when loading resources in CSS. – nobody Jan 17 '21 at 14:53