[24179] in bugtraq
Re: CSS -> ign.com
daemon@ATHENA.MIT.EDU (Steven Champeon)
Thu Feb 7 17:37:46 2002
X-Received-From: schampeo
X-Delivered-To: bugtraq@securityfocus.com
Date: Wed, 6 Feb 2002 21:54:55 -0500
From: Steven Champeon <schampeo@hesketh.com>
To: bugtraq@securityfocus.com
Message-ID: <20020206215455.B16489@hesketh.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: =?iso-8859-1?Q?=3C6096F6426539904EB650ED340F28450B18A8F6=40Helium=2Ecc?=
=?iso-8859-1?Q?=2ECyberCity=2Edk=3E=3B_from_Knud_Erik_H=F8jgaard_on_Tue?=
=?iso-8859-1?Q?=2C_Feb_05=2C_2002_at_11:42:37AM_+0100?=
on Tue, Feb 05, 2002 at 11:42:37AM +0100, Knud Erik Højgaard wrote:
> To add to the late plethora of CSS bugs, ign.com has some too.
Would this be the right place to beg that the industry adopt the saner
acronym "XSS" for "Cross site scripting", to distinguish between it and
CSS, which to a large number of netizens means "Cascading Style Sheets"?
Every time I see one of these reports, I think "how can there be a bug
in CSS? It's a W3C Recommendation, not a piece of software..."
Of course, the article I wrote on the subject back in April of 2000
for Webmonkey /still/ allows you to do things like this:
http://hotwired.lycos.com/webmonkey/00/18/index3a.html
http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=barney
http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=has%20no
http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script>alert("!");</script>
Sigh.
Steve
--
hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com
