Stack Overflow has had a mobile version of the site for quite a while now, and to make life easy for our users, we have a switcher in the footer – allowing one to toggle between the mobile and the full versions of the site.
The link markup was looking like the following:
<a onclick='StackExchange.switchMobile("on", "/some/path")'>mobile</a>
"/some/path" is the current request path – this ensures that when switching between mobile and full, one remains on the same page.
As it turns out, this path was rendered to the page using HTML encoding only, meaning that when accessing the site with the URL
How does it work?
When rendering the path
%22,alert%281%29,%22, the link ended up looking like this:
<a onclick='StackExchange.switchMobile("on", "",alert(1),"")'>mobile</a>
The initial fix was to ensure
" was correctly encoded. It was a quick fix – done to minimize damage from this particular form of attack. It was followed by a change to the
StackExchange.switchMobile function where no path parameter exists anymore and which precludes this attack – the path is no longer in a string and URL checking was moved to the server side.