[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: data protocol: was RE: node-setting() escaped text

Subject: RE: data protocol: was RE: node-setting() escaped text
From: "Marty McKeever" <marty.mckeever@xxxxxxxxxx>
Date: Thu, 13 Feb 2003 11:22:00 -0500
marty mckeever
yeah there was a nice security issue on this one, allowing you to read other
peoples cookies.  something along the lines of

about:www.yahoo.com<script>alert(document.cookies)</script>

would fool IE into thinking that the result was a document on the yahoo.com
domain and therefore safe to read/write yahoos cookies.



> -----Original Message-----
> From: owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of Américo
> Albuquerque
> Sent: Thursday, February 13, 2003 9:58 AM
> To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx
> Subject: RE: data protocol: was RE:  node-setting() escaped text
>
>
> Hi Bryan
> You can do something like that in IE.
> Try:
> about:<html code>
>
> try writing this in a html page :)
>
>  Link: <a href="about:<p><b>Teste</b></p>" target=_new>Click
> here</a>.<br>
>  Link: <a href="about:<b>hello</b><br/><p
> onclick=javascript:window.open('http://www.xml.com')>hello</p>"
> target=_new>Click here</a>.<br>
>  Link: <a
> href="about:<script>location.href='http://www.xml.com';</script>"
> target=_new>Click here</a>
>
>
> -----Original Message-----
> From: owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of bryan
> Sent: Thursday, February 13, 2003 2:22 PM
> To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx
> Subject: data protocol: was RE:  node-setting() escaped text
>
>
> >data:text/html,<b>hello</b>
> >into netscape's location bar)
>
> why do I think this is a security problem? Hmm
> data:text/html,<b>hello</b><br/><p
> onclick="javascript:window.open('http://www.xml.com')">hello</p>
>
> anyway it's interesting that it wasn't done as an app, asynchronous
> pluggable protocol, if it were then one could launch mozilla from within
> IE by calling the protocol, on the other hand as it wasn't this opens
> the way up for an ie implementation. In fact it wouldn't be difficult at
> all, of course as ie has enough security bugs...
>
>
>
>  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
>
>
>  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
>
>


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list


Current Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.