Youtube XSS [SOLVED]

A XSS vulnerability was discovered in youtube recently.

It looked like this:

<script>IF_HTML_FUNCTION?<h1> —Your code— <script>

I know XHTML Javascript PHP etc and I have never seen IF_HTML_FUNCTION what does it do/mean?

It has nothing to do with the "IF_HTML_FUNCTION?" bit, I'm really not sure where that originated from. This was caused by the unclosed script tag(s), and then having some random text before entering HTML code. The HTML code would then not be filtered out. This also allowed javascript through attributes like onload and onerror.

"<script>randomstuff<h1>Test</h1><script>" would have worked fine too, and I think the last script tag was even unnecessary in some cases.

stealth- wrote: It has nothing to do with the "IF_HTML_FUNCTION?" bit, I'm really not sure where that originated from. This was caused by the unclosed script tag(s), and then having some random text before entering HTML code. The HTML code would then not be filtered out. This also allowed javascript through attributes like onload and onerror.

"<script>randomstuff<h1>Test</h1><script>" would have worked fine too, and I think the last script tag was even unnecessary in some cases.

Thanks, I knew why it failed, I just didn't understand why they used IF_HTML_FUNCTION and I didn't have time to test this myself.

Too bad every asswipe and their mother got a hold of this and just copy and pasted it all over the site. Damn skids. :angry:

korg wrote: Too bad every asswipe and their mother got a hold of this and just copy and pasted it all over the site. Damn skids. :angry:

I know… Very annoying