In javascript events, when the parameter is an encoded value, javascript will perform the decoding in the following code.
<A href = # onmousemove = "& #97; & #108; & #101; & #114; & #116; & #40; & #47; & #119; & #111; & #121; & #105; & #103; & #117; & #105; & #47; & #41; "> xxx </a>
In addition, because javascript supports function parameters, the following code can be used:
<Script> x (alert (1); </script>
Two features can cause the following security problems:
<A href = "#" onmousemove = "xxx (& #39; + alert (1) + & #39;, 44); return false;"> woyigui </a>
When javascript code is encoded into the page, you can use the decoding feature of event execution to close single quotes, and then use the function parameters to code the code. This method cannot be directly used in script. For example, the following code cannot be executed:
<Script>
Xxx (& #39; + alert (1) + & #39 ;);
</Script>
As a result of the above problems, in a specific application environment, processing and solving DOM-type XSS will be more challenging. The solution is to use the symbol again After decoding, but the special application may have an impact.