[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] JS-Fun with HTML deprecated tags
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] JS-Fun with HTML deprecated tags
- From: Malformation 0000000 <malformation@xxxxxxxxxxx>
- Date: Sat, 14 Mar 2009 23:07:08 +1030
Sup FD peoples,
This has probably already been discussed before, but I'm still at a loss as to
why PRE, listING and COMMENT allow scripts to be run. I know that PRE has been
specifically stated that it will not block all tags, but since listING and
COMMENT are now deprecated, why are browsers still allowing Javascript to be
run from within them? Doesn't this pose a security vulnerability? I mean, the
whole point to the COMMENT tag, is pretty self-explanatory in its name. I'm
pretty sure I could google around for a few sites that block javascript being
used, but throw them into a listING tag or a COMMENT tag and they'd probably
run. Apologies if this has already been discussed...
-Malformation
Proof of concept:
<html>
<body>
<pre>
PRE
<script>alert("vuln!");</script>
</pre>
<listING>
LISTING
<script>alert("vuln!");</script>
</listING>
<XMP>
XMP
<script>alert("vuln!");</script>
</XMP>
<COMMENT>
COMMENT
<script>alert("vuln!");</script>
</COMMENT>
<PLAINTEXT>
PLAINTEXT
<script>alert("vuln!");</script>
</PLAINTEXT>
<code>
CODE
<script>alert("vuln!");</script>
</code>
</body>
</html>
_________________________________________________________________
Find out what’s new with your friends Download the new Windows Live Messenger
http://download.live.com/_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/