Re: Yet another major Hotmail security hole - injectingJavaScript using "javas&#67ript:"

[reinke () E-SOFTINC COM (Thomas Reinke)]

Although this is certainly not elegant, (but in Microsoft's interest
to do so), it sounds like they may want to consider directives
that can be placed in a web page that _downgrade_ a browser's
capabilities. E.g. - if a header of a page said something
like <META Capability:Javascript=NO> or some such thing (I won't
quibble about syntax), then it would disallow any javascript
further on down. Note, I don't advocate _increases_, which of
course would cause all sorts of security headaches. But this
way, a site would be able to present data from an untrusted
party, knowing confidently it had blocked all Javascript,
instead of trying to write code to think of every scenario
that might need to be blocked.

Now that I think about it, what sorts of security risks
might exist (if any) by being able to send messages that
have APPLET tags imbedded in them? Might someone be able
to create a message with an imbedded applet that looked
like it should request userid/password, and since the
applet comes from the offending site, thus be able to
send the userid/password pair BACK to the offending site
(of course for as long as the site was able to stay
up before it was attacked :))?

Brian Hampson wrote:

> I can't see that Hotmail will ever be able to block javascript if this is the
> case...think..you could replace any letter, or any combination of letters.
> Major coding hassle.

------------------------------------------------------------
Thomas Reinke                            Tel: (416) 460-7021
Director of Technology                   Fax: (416) 598-2319
E-Soft Inc.                         http://www.e-softinc.com