daemon@ATHENA.MIT.EDU (Henrik Nordstrom)
Wed Jan 5 00:45:38 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38728F5E.6716CEAB@hem.passagen.se>
Date: Wed, 5 Jan 2000 01:25:02 +0100
Reply-To: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
From: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
X-To: Kevin Hecht <khecht19@IDT.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Kevin Hecht wrote:
> While Hotmail obviously has a filtering hole, should the browser
> manufacturers be on the hook here as well, given that javascript: URLs
> probably shouldn't be rendered at all by the <IMG> tag?
JavaScript can be used to calculate the URL to open in a IMG tag.
<IMG SRC="&{find_image_to_open()};">
n
What is more suprising is why it is so hard to make a JavaScript
scrubber filter. The ways javascript may be inserted in HTML is generic,
and not tied to any specific tag or attributes. (see Netscape JavaScript
client guide, chapter 9)
<script>
</script>
<tag attribute="&{javascript_code};">
<tag url_attribute="javascript:javascript_code">
Due to the open nature of HTML it is impossible to know all attributes
which may contain URLs. And I thinks it is safe to assume that all
attribute values may be contain URLs... I can't come up with a practical
HTML application where the attribute value "javascript:<something>"
makes much sense other than when refering to javascript code to be
executed.
--
Henrik Nordstrom
