Re: Hotmail security hole - injecting JavaScript using <IMG

[metal_hurlant () YAHOO COM (Metal Hurlant)]

On Wed, 05 Jan 2000, Henrik Nordstrom wrote:
> What is more suprising is why it is so hard to make a JavaScript
> scrubber filter. The ways javascript may be inserted in HTML is generic,
> and not tied to any specific tag or attributes. (see Netscape JavaScript
> client guide, chapter 9)
>
> <script>
> </script>
>
> <tag attribute="&{javascript_code};">
>
> <tag url_attribute="javascript:javascript_code">
>
> Due to the open nature of HTML it is impossible to know all attributes
> which may contain URLs. And I thinks it is safe to assume that all
> attribute values may be contain URLs... I can't come up with a practical
> HTML application where the attribute value "javascript:<something>"
> makes much sense other than when refering to javascript code to be
> executed.

Things are a bit more complicated than that:
- javascript code can be placed in a growing number of optional tag parameters
(like onmouseover, onload, etc..). The only way to block those is to keep an
extensive and up-to-date list of every possible parameter allowing to run a
script.
- Netscape supports something called javascript style sheets, allowing to
embed javascript between <style> tags
- Netscape recognizes mocha: and livescript: urls and treats them like
javascript: urls

I'm sure IE has its own share of incompatible and not widely known ways to run
scripts.
Everyone thinks Javascript is cool (except maybe some weird security folks),
so each new browser version is very likely to have a few new ways to do more
cool things in javascript..

Regards,
Henri Torgemane