Whenever i visit a site, i usually try things like these:<br><br>http://www.tuts4you.com/user.php?\">DigitalAcidWasHere<br><br>You can type anything after the \"> and it will be shown on the site.<br>I tried using alert and document.write, but the site seems to filter out most of the special characters, like semicolon, comma etc. resulting in an \"Access Denied\" page =).<br>
Ok - let me be more specific <img alt="\":)\"" src="%5C"><br><br>A double quote is url encoded before being echoed into the page and a single quote brings up \"Access Denied\"
The problem is that FF and IE encode the url differently before sending them. Check the source <img alt="\":P\"" src="%5C"><br>FF:<br><pre><form method=\"post\" action=\"http://www.tuts4you.com/user.php?%22%3E%3Cmarquee%3EDigitalAcidWasHere%3C/marquee%3E\"></pre><br>IE:<br><pre><form method=\"post\" action=\"http://www.tuts4you.com/user.php?&amp;quot;><marquee>DigitalAcidWasHere</marquee>\"></pre><br>IE seems to render the code incorrectly too <img alt="\":P\"" src="%5C">