Security Basics mailing list archives
confussed about a specific type of XSS
From: Thomas Anderson <terra1024 () yahoo com>
Date: Fri, 11 Nov 2005 19:58:23 -0800 (PST)
I've recently noticed a few XSS exploits that work by supplying a URL whose protocol is javascript://%0D and am kinda confussed about them. First, here's an example of what I mean: <a href="javascript://%0Dwindow.alert%28%27Weird%27%29">Click Me!</a> My question is... why do these seem to be generally regarded as exploiting bugs in webscripts? It seems to me that when browsers that execute the window.alert('Weird') line are the programs with the bugs - not webscrpits. If full disclousures exist for browsers for the above stuff (I couldn't find any, so I'm assuming they don't), then could someone provide links to them? __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Current thread:
- confussed about a specific type of XSS Thomas Anderson (Nov 15)