Reflected browser-dependent XSS on mts.ru

Having done my business on the mts website, I decided to check the search string on XSS out of habit. Surprisingly quickly found, zaportil, mts fixed. Details under the cut.

A search on the site spb.mts.ru and in general mts.ru was vulnerable to XSS.


')
XSS implementation site:

<script type="text/javascript" language="javascript"> $(document).ready(function () { $('#LinksHeader').hide(); if (window.exportCap) { exportCap({ path: "/live/shopSearchHelper.aspx", querystring: "</script><script>alert(document.cookie);</script>", regionid: 1801, allResuls: "http://spb.shop.mts.ru/?q=" }); } if ("False" == "True") $('#LinksHeader').show(); }); </script> 

The string entered into the search fell into the querystring parameter, where for some reason only quotes and apostrophes were replaced with html entities. And in other places on the page everything was screened correctly.

After sending the next line to the search in the latest at the time versions of the Firefox browsers, Opera received an alert with a cookie

 </script><script>alert(document.cookie);</script> 

In Chrome alert was not, IE did not check.

The vulnerability report was sent on June 17, corrected today.

It seemed to me interesting that browsers reacted differently to the sent line, so I decided to write a post.