Chrome and IE

Hi @makwelos

Are you only using encoding feature or some other feature as well? Please share your settings screenshot.

Also, you can not see some entities to be encoded in Browser URL. Let’s say %3C is the encoded value of < entity but when you add the encoded value in the URL then it automatically transforms to its entity.

Let me know your thoughts and findings if you have.

Thanks,
Sami

Hi Sami Ahmed Siddiqui

I have enable all the options,Enable Blocking,Enable Encoding, Enable Escaping and im not excluding any Entites.

@makwelos What’s the issue you are facing?

If you have Enable Blocking then some entities gets removed from the URL. You can find the entities which are blocked by the plugin.

If you can provide some URL and describe your issue in detail so maybe i can provide you some help in it.

Thanks,
Sami

I have enabled the Blocking, in Chrome when i execute the below url i get the alert box but not in firefox.

https://www.example.co.za/#'”&gt;

@makwelos Please add the url under the code format. Secondly, Plugin prevent XSS attack which was sent to server whereas values after # will not pass to the server so this issue can not handled by the plugin.

Regards,
Sami

Oh i see this issues is Cross-site scripting (DOM-based). Please see url below

https://www.example.co.za/#'"><img src=1 onerror=alert(1)>

• This reply was modified 5 years, 9 months ago by makwelos.
• This reply was modified 5 years, 9 months ago by makwelos.
• This reply was modified 5 years, 9 months ago by makwelos.

There are 2 ways of DOM Based Cross-site scripting.

1. Using Query String
2. Using Fragmentation

For now, this plugin secure your site from the Query String DOM Based XSS. You can more about the DOM Based XSS from here.