Poisonous Style for Dialog window turns the zone off.

[Liu Die Yu <liudieyuinchina () yahoo com cn>]

Poisonous Style for Dialog window turns the zone off.
("that's all" is the end of file if you are in a hurry)

[tested]
MSIEv6(CN version)
Patch: Q312461,Q328790(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000} 

[demo]
at 
http://www16.brinkster.com/liudieyu/PoisonousSTYLEforDialog/PoisonousSTYLEf
orDialog-MyPage.htm
or 
clik.to/liudieyu ==> PoisonousSTYLEforDialog-MyPage section.

[exp]
you can appoint the style of text in window(a "ModalDialog" window) opened 
by "showModalDialog()" regardless of zone difference.

the style can cause execution of script, one example:
<IMG width="0" height="0" style="width: expression(alert());">

so "poisonous" style can do XSS at client side.

that's all


[how]
i spent some time trying to bypass hotmail script filtering, so i read 
something about it, including the above one from Guninski.
so, i got this one as soon as i read the description of "showModalDialog
()" at MSDN.

[BTW]
if you are interested in XSS at server side, don't miss a tool at 
http://clik.to/fasx