Loading ...
Sorry, an error occurred while loading the content.

104Re: [caplet] Re: ADsafe, Take 6

Expand Messages
  • David Hopwood
    Oct 18, 2007
    • 0 Attachment
      collin_jackson wrote:
      > Null byte between "java" and "script" passes JSLint on Firefox despite
      > being an attack on IE: <iframe src="java�script:alert(42)"></iframe>
      >
      > Also:
      >
      > <iframe src="data:text/html,<body onload=alert(42) />"></iframe>

      The diversity of possible attacks on HTML, and the difficulty in keeping
      up with any changes in browsers, suggests to me that it may be a better
      idea simply not to support direct HTML embedding. Apart from the latency
      cost of fetching a script from a separate URL, is there any other reason
      to support it?

      --
      David Hopwood <david.hopwood@...>
    • Show all 30 messages in this topic