confussed about a specific type of XSS

[Thomas Anderson <terra1024 () yahoo com>]

I've recently noticed a few XSS exploits that work by
supplying a URL whose protocol is javascript://%0D and
am kinda confussed about them. First, here's an
example of what I mean:

<a
href="javascript://%0Dwindow.alert%28%27Weird%27%29">Click
Me!</a>

My question is... why do these seem to be generally
regarded as exploiting bugs in webscripts? It seems to
me that when browsers that execute the
window.alert('Weird') line are the programs with the
bugs - not webscrpits.

If full disclousures exist for browsers for the above
stuff (I couldn't find any, so I'm assuming they
don't), then could someone provide links to them?


        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com