Comments on: Forget sidejacking, clickjacking, and carjacking: enter “Formjacking”

By: Some dude

Some dude — Fri, 25 Jun 2010 14:48:38 +0000

Bear in mind that HTML is not XML (unless of course it is XHTML). So expecting HTML to behave like XML will lead you astray. Your test pages are HTML.

In HTML there is no such thing as a self closing tag so it is behaving exactly as you would expect it to.

If you altered your test pages to be XHTML (appropriate doctype etc.) then they *might* behave differently.

By: Serge Droganov

Serge Droganov — Fri, 25 Sep 2009 22:53:51 +0000

Hi.
Interesting fact…
This has nothing in common with script tag, it’s insane to allow it with the policy.

And what about the forms this could be fixed with a policy file as well. AntiSamy could accept only local or global locations for example. And not both together.

And of course this is not a good idea to have so permissive policy with the public website. ‘Only formatting tags policy’ is OK in most of the cases.

All controls should be defined as custom tags like in google blogs template editor: [show:loginform/] — self-contained and no attributes.

By: Jerry

Jerry — Sun, 24 May 2009 20:21:33 +0000

Formjacking is just a joke name – the real name is unclosed-tag-jacking, which I think we can all agree is a great name.

By: Eric

Eric — Wed, 13 May 2009 21:35:49 +0000

That’s pretty sweet. Works in Chrome as well, so the other WebKit browsers should do the same thing.

By: Eric Friese » Formjacking

Eric Friese » Formjacking — Wed, 13 May 2009 21:32:38 +0000

[...] read a cool post over at omg.wtf.bbq about a new attack called “formjacking”. Not sure about the attack name, but this is pretty [...]

By: arshan dabirsiaghi

arshan dabirsiaghi — Tue, 12 May 2009 12:31:16 +0000

well we do need names for things, but yes the name was a joke. =)

By: Troll

Troll — Sat, 09 May 2009 09:41:06 +0000

Formjacking? Another term for a very silly attack!? Names for vulns suck!! we should all use “xss” for everything, from csrf to rfi!!!