By John Gruber
Jiiiii — Free to download, unlock your anime-watching-superpowers today!
Niklas Bivald writes for A List Apart regarding cross-site scripting attacks. I had no idea that Internet Explorer executes JavaScript contained within style attributes:
<style="background:url(javascript:alert(document.cookie))">
and that filtering for “javascript” isn’t enough, because IE will also accept things like:
<style="background:url(ja
vas
cript:alert(document.cookie))">
which is just sickening. Off the top of my head, I’m thinking you could filter for the regex “j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t
”, but who would expect that that’s necessary?
★ Thursday, 20 April 2006