"http://website.com/#%3Cimg%20src=x%20onerror=alert%28/XSSed/%29%3E)" $(".selector [thing="+window.location.hash.substr(1)+"]");
The problem is that this is occurring throughout their scripts and would need a lot of regression testing to fix e.g. if we escape the data if statements won't return true any more as the data won't match.
Is there a way to prevent these DOM XSS attacks with some global code without having to go through and debug each instance.
I proposed that we add a little regular expression at the top of the script to detect common chars used in XSS attacks and to simply kill the script if it returns true.
This appears to work but I'm not 100% happy with the solution. Does anyone have a better solution or any useful insight they can offer?</div