By John Gruber
WorkOS is a modern identity and user management platform.
- Community Creators, Secure Your Code
-
Niklas Bivald writes for A List Apart regarding cross-site scripting attacks. I had no idea that Internet Explorer executes JavaScript contained within style attributes:
<style="background:url(javascript:alert(document.cookie))">and that filtering for “javascript” isn’t enough, because IE will also accept things like:
<style="background:url(ja vas cript:alert(document.cookie))">which is just sickening. Off the top of my head, I’m thinking you could filter for the regex “
j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t”, but who would expect that that’s necessary?★ Thursday, 20 April 2006