The system allows xml files to be uploaded, resulting in xss

After a type of data commonly used on the Internet is maliciously parsed, xss details: an xml file can contain an xml-stylesheet tag, which is used to specify an xsl file to format and output the xml file. Any html code, including the <scrip> label, can be output during xsl output .... Then you can play alert. However, the script permission after xml formatting is small and many operations cannot be performed .... However, I think it should not affect the use as phishing. To use this alert, we can see that we need to meet two conditions. 1. Let the browser think that the output is an xml, and insert some code. You can see this for yourself. 2. Create a page that can meet the requirements of the same-source rules and output in xsl format. Whether you upload an image or not. In my opinion, the use of this item should basically focus on uploading. I remember that an Internet company allowed users to upload custom xml files for user space configuration. In this case, many forums should also be able to upload xml files of the worst nature, is some ajax callback interfaces that do not filter input, output directly, and set conten-type to xml. The following is the code for alert. How do you use alert. xml? Xml version = "1.0" encoding = "iso-8859-1"?> <? Xml-stylesheet type = "text/xsl" href = "test.jpg"?> <Test> </test> test.jpg <? Xml version = "1.0" encoding = "iso-8859-1"?> <Xsl: stylesheet version = "1.0" xmlns: xsl = "http://www.w3.org/1999/XSL/Transform"> <xsl: template match = "/"> Chrome's alert remembers that an Internet company previously allowed users to upload custom xml files for user space configuration and could not find the upload point. Then, many forums should also be able to upload xml files. The specified xsl files in xml files do not have the extended name and content-type requirements (ff, ie passed the test)

 Solution:

Prohibit users from uploading xml files. filter the XML output operations for the input.