Re: Text injection on https://www.google.com/sorry/index via ?q parameter (no XSS)  – Full Disclosure

Posted by David Fifield on Feb 15

Today at about 2025-02-13 19:00 I noticed the “≠” is back, but now the
type 0x12 payload of the ?q query parameter gets formatted into the
string representation of an IP address, rather than being copied almost
verbatim into the page. If the payload length is 4 bytes, it gets
formatted as an IPv4 address; if 16 bytes, as an IPv6 address. I didn’t
try a ton of experiments, but it looks like payload lengths other than 4
and 16…
 – Read More  – Full Disclosure