Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Nicolas Grégoire (nicolas.gregoireagarri.fr)
Date: Wed May 16 2012 - 12:29:11 CDT
> Uploading a SVG chameleon (SVG file triggering a XSLT
> transformation) to a website allows to display nearly arbitrary
> content if the file is called directly.
In order to demonstrate this point _and_ the weird Opera behavior, I put
online a SVG chameleon and a HTML file calling it via <img>:
If the chameleon is called directly, Opera, Firefox and Webkit (IE
document. Look at the DOM, there's no more reference to the source SVG
If the chameleon is called via <img>, only Opera renders the HTML output
behavior is similar to the (i)frames one ... Screen-shot:
<shameless advertising>I'll demonstrate some additional XML/XSLT/SVG/...
tricks at Hack in the Box Amsterdam next week</shameless advertising>
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/