Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hotmail security hole - injecting JavaScript using <IMG

From: hno () HEM PASSAGEN SE (Henrik Nordstrom)
Date: Wed, 5 Jan 2000 01:25:02 +0100

Kevin Hecht wrote:


While Hotmail obviously has a filtering hole, should the browser
manufacturers be on the hook here as well, given that javascript: URLs
probably shouldn't be rendered at all by the <IMG> tag?


JavaScript can be used to calculate the URL to open in a IMG tag.

<IMG SRC="&{find_image_to_open()};">
n
What is more suprising is why it is so hard to make a JavaScript
scrubber filter. The ways javascript may be inserted in HTML is generic,
and not tied to any specific tag or attributes. (see Netscape JavaScript
client guide, chapter 9)

<script>
</script>

<tag attribute="&{javascript_code};">

<tag url_attribute="javascript:javascript_code">

Due to the open nature of HTML it is impossible to know all attributes
which may contain URLs. And I thinks it is safe to assume that all
attribute values may be contain URLs... I can't come up with a practical
HTML application where the attribute value "javascript:<something>"
makes much sense other than when refering to javascript code to be
executed.


--
Henrik Nordstrom
Previous By Date Next
Previous By Thread Next

Current thread: