Come funziona esattamente la recente vulnerabilità TweetDeck? Dice qui che ha qualcosa a che fare con il carattere del cuore HTML ma non lo faccio comprendere appieno cosa significa la spiegazione. Dal link:
" I was tweeting about the HTML-heart-symbol (♥), because I didn't know that this is possible," He told The Register in response to questions via email.
TweetDeck is not supposed to display this as an image. Because it's simple text, which should be escaped to '♥'. But in my tweet I used the Unicode-character of the heart as a reference for my followers.
There were two hearts. One was black (at the position where the ♥ was supposed to be) and one was red (this one was the Unicode-char and got replaced by TweetDeck).
So, I started to play around, and discovered, that the Unicode-Heart (which gets replaced with an image by TweetDeck) somehow prevents the tweet from being HTML-escaped. So I used a strong-HTML-tag to verify this ... It worked.
So I wrote a little script which displays a popup and then blocks itself. It worked."
Che cosa era esattamente il vettore di attacco qui? E come ha "in qualche modo impedito che il tweet venisse eseguito con l'HTML"?