Subject: | Possible XSS related issue with ->address |
The following string will pass Email::Valid->address
a<body/onload=alert('http://lol.com?'+document.cookies) @a.a>
If rendered in a firefox and chrome unescaped, this will execute the
embedded javascript.
It's actual use for exploit is somewhat limited as it relies on the
string getting rendered without escaping, and the javascript itself
cannot contain any double quotes or semicolons (among other restrictions
from email valid).
oneliner:
aprime@primepc:~$ perl -MEmail::Valid -e 'print
Email::Valid->address(q[a<body/onload=alert('http://lol.com?'+document.cookies)
@a.a>]) ? "yes" : "no", "\n"';
yes