A stored XSS vulnerability was discovered in Outlook.com's iOS browser implementation when viewing crafted PowerPoint files containing JavaScript protocol hyperlinks. The attack requires uploading a specially formatted .ppt file (saved as 97-2003 format) with a malicious javascript: URL, which executes when clicked in the email attachment viewer on iOS browsers.
A researcher discovered a blind stored XSS vulnerability in a form-building service by bypassing quote filters using the javascript: URI scheme merged with legitimate URLs, allowing arbitrary JavaScript execution on admin pages. The technique leverages acceptance of alternative URI schemes (javascript:https://) combined with rendering in anchor tags to inject payloads that execute when accessed by form creators.
A reflected XSS vulnerability was discovered on admin.google.com's ServiceNotAllowed page where the 'continue' parameter was not validated, allowing attackers to inject javascript: protocol URLs that execute when the page redirects, enabling account takeover and privilege escalation of Google Apps administrators.
A researcher discovered a URI-based XSS vulnerability in a redirect parameter (example.com/social?redirect=) using Google dorking to find hidden endpoints, exploiting javascript:// protocol handling to execute arbitrary JavaScript when users logged in after being redirected to a malicious URL.
A reflected XSS vulnerability in an OAuth2 redirect_uri parameter was escalated from simple alert injection to account takeover by extracting CSRF tokens from meta tags and automating admin user creation without authentication. The writeup demonstrates a practical methodology for showing XSS impact through functional exploitation rather than simple proof-of-concept.
A stored XSS vulnerability was discovered in Google Custom Search Engine's promotion URL feature, where javascript: protocol handlers were not filtered, allowing attackers to inject malicious URLs that execute when victims click promoted results.