I stumbled upon Google’s firing range for DOM XSS testing, and this case caught my eye:
<script> var payload = window.location.hash.substr(1);document.write(payload); </script>
As far as I know, Chrome, Firefox ans Safari now URL-encode
location.search, making the exploit fail:
result on page:
Given that the above-mentioned browsers take up most of the market share, is this vulnerability effectively not exploitable anymore? Or is there a way to exploit it despite the URL-encoding?
Thanks in advance.