

SemicolonScript - rodh257
http://rodhowarth.com/semicolonscript/

======
mikegirouard
This reminds me of a demo I saw Billy Hoffman[1] do a while back at a
conference. He demonstrated a way of embedding whitespace in a forum post that
is mapped to a malicious JS method injected via XSS. The point was to
circumvent HTML sanitation attempts to strip raw JS code.

This tool could be used for something similar. Just replace the semicolon
token[2] with something less obvious (say '\t' for example), and you've got a
pretty interesting tool.

[1]: <https://en.wikipedia.org/wiki/Billy_Hoffman> [2]:
[https://github.com/RodH257/SemicolonScript/blob/master/Defau...](https://github.com/RodH257/SemicolonScript/blob/master/Default.htm#L41)

