News for wibblers. Stuff that really doesn't matter. |
|
News for wibblers. Stuff that really doesn't matter. |
|
Save the teapot fund
New CSS web design for Wibble proudly provided by Kelv. Please contact the webmaster with any questions or concerns. |
Wibble > List archives > bugtraq > 2000
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Hotmail security hole - injecting JavaScript using <IMG
Kevin Hecht wrote:
> While Hotmail obviously has a filtering hole, should the browser
> manufacturers be on the hook here as well, given that javascript: URLs
> probably shouldn't be rendered at all by the <IMG> tag?
JavaScript can be used to calculate the URL to open in a IMG tag.
<IMG SRC="&{find_image_to_open()};">
n
What is more suprising is why it is so hard to make a JavaScript
scrubber filter. The ways javascript may be inserted in HTML is generic,
and not tied to any specific tag or attributes. (see Netscape JavaScript
client guide, chapter 9)
<script>
</script>
<tag attribute="&{javascript_code};">
<tag url_attribute="javascript:javascript_code">
Due to the open nature of HTML it is impossible to know all attributes
which may contain URLs. And I thinks it is safe to assume that all
attribute values may be contain URLs... I can't come up with a practical
HTML application where the attribute value "javascript:<something>"
makes much sense other than when refering to javascript code to be
executed.
--
Henrik Nordstrom
|
