Re: Hotmail security vulnerability - injecting JavaScript using<STYLE> tag

[joro () NAT BG (Georgi Guninski)]

Olaf Titz wrote:
> In article <37DCF0FE.908E4B4F () nat bg> you write:
> > Note: This is not a browser problem, it is Hotmail's problem.
>
> It is a browser problem, at least for the Netscape version.

I continue to think this is NOT a browser problem. In both Netscape and
Internet Explorer the behaviour of executing JavaScript via STYLE tag is
fully documented, check the documentation. The fact that Hotmail does
not filter this kind of JavaScript is a Hotmail's problem.

> > <P STYLE="left:expression(eval('alert(\'JavaScript is
> > executed\');window.close()'))" >
>
> One could argue that styles can be computed via Javascript...

This definitely works, I have tried it numerous times. The same may be
reproduced by:
<A HREF="#" STYLE="left:(expression(...))">link</A> and in many other
cases.

> > <STYLE TYPE="text/javascript">
>
> ...but that is ridiculous. The browser should simply ignore a
> stylesheet of an unknown type, there is a reason for the type
> parameter after all. (Unless it is a deliberate feature that you can
> substitute STYLE for SCRIPT, which I somehow doubt.)

Again, this behaviour is fully documented in Netscape's documentation.

Regards,
Georgi