|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Hotmail security hole - injecting JavaScript using <IMG
Subject: Re: Hotmail security hole - injecting JavaScript using
Kevin Hecht wrote:
> While Hotmail obviously has a filtering hole, should the browser
JavaScript can be used to calculate the URL to open in a IMG tag.
<IMG SRC="&{find_image_to_open()};">
<script>
<tag attribute="&{javascript_code};">
<tag url_attribute="javascript:javascript_code">
Due to the open nature of HTML it is impossible to know all attributes
This archive was generated by hypermail 2b27
: Tue Jan 04 2000 - 22:50:36 CST
HEM.PASSAGEN.SE)
Date: Tue Jan 04 2000 - 18:25:02 CST
> manufacturers be on the hook here as well, given that javascript: URLs
> probably shouldn't be rendered at all by the <IMG> tag?
n
What is more suprising is why it is so hard to make a JavaScript
scrubber filter. The ways javascript may be inserted in HTML is generic,
and not tied to any specific tag or attributes. (see Netscape JavaScript
client guide, chapter 9)
</script>
which may contain URLs. And I thinks it is safe to assume that all
attribute values may be contain URLs... I can't come up with a practical
HTML application where the attribute value "javascript:<something>"
makes much sense other than when refering to javascript code to be
executed.
--
Henrik Nordstrom