Subject: RE: data protocol: was RE: [xsl] node-setting() escaped text From: "Marty McKeever" <marty.mckeever@xxxxxxxxxx> Date: Thu, 13 Feb 2003 11:22:00 -0500 |
yeah there was a nice security issue on this one, allowing you to read other peoples cookies. something along the lines of about:www.yahoo.com<script>alert(document.cookies)</script> would fool IE into thinking that the result was a document on the yahoo.com domain and therefore safe to read/write yahoos cookies. > -----Original Message----- > From: owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx > [mailto:owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of Américo > Albuquerque > Sent: Thursday, February 13, 2003 9:58 AM > To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx > Subject: RE: data protocol: was RE: [xsl] node-setting() escaped text > > > Hi Bryan > You can do something like that in IE. > Try: > about:<html code> > > try writing this in a html page :) > > Link: <a href="about:<p><b>Teste</b></p>" target=_new>Click > here</a>.<br> > Link: <a href="about:<b>hello</b><br/><p > onclick=javascript:window.open('http://www.xml.com')>hello</p>" > target=_new>Click here</a>.<br> > Link: <a > href="about:<script>location.href='http://www.xml.com';</script>" > target=_new>Click here</a> > > > -----Original Message----- > From: owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx > [mailto:owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of bryan > Sent: Thursday, February 13, 2003 2:22 PM > To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx > Subject: data protocol: was RE: [xsl] node-setting() escaped text > > > >data:text/html,<b>hello</b> > >into netscape's location bar) > > why do I think this is a security problem? Hmm > data:text/html,<b>hello</b><br/><p > onclick="javascript:window.open('http://www.xml.com')">hello</p> > > anyway it's interesting that it wasn't done as an app, asynchronous > pluggable protocol, if it were then one could launch mozilla from within > IE by calling the protocol, on the other hand as it wasn't this opens > the way up for an ie implementation. In fact it wouldn't be difficult at > all, of course as ie has enough security bugs... > > > > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list > > > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list > > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: data protocol: was RE: [xsl] no, David Carlisle | Thread | [xsl] RE: data protocol (off topic,, Américo Albuquerque |
RE: [xsl] node-setting() escaped te, Marty McKeever | Date | [xsl] MSIE - XSL transform -> .inne, Shenan Hawkins |
Month |