IE7 javascript echo

This is a strange one, I’ve no clue why IE7 does this but it appears to execute and echo javascript using multiple :

Check it out:
Echo javascript

15 Responses to “IE7 javascript echo”

  1. .mario writes:

    Yep – very bizarre. I was already wondering when updating the xssDB with your vectors seeing the javascript:alert: variant.

    So IE7 allows functions to be called with name:param in general?

  2. Gareth Heyes writes:

    It appears so yes, this could be dangerous but I haven’t really thought about it.

    I think IE7 allows you to overwrite the document but still retain the properties, I’m a bit tired today so I can’t quite get my head round it πŸ™‚

  3. pdp writes:

    this is a standard behavior, not a bug. The last operand is taken as output of the expression. for example:


    will result to 8



    results to nothing.

    This is how you can generate HTML via JavaScript… it is like the data protocol.

    javascript:’Check out’

    simple! πŸ™‚

  4. Gareth Heyes writes:


    I still think it’s a bug:-

  5. Gareth Heyes writes:

    You can see were I’m going with that.

    Or am I just tired? I was up late, I suppose once you’ve got javascript: you’ve got the document anyway. It is a different way of accessing the document though to avoid filters.

  6. pdp writes:

    nope πŸ™‚ it is not a bug. as I said the content will be rendered as html. You are still in about:blank! I think that I discussed thihs somewhere on GC.

  7. Gareth Heyes writes:

    Ok pdp I believe you πŸ™‚

    But hey look at what can do, good for avoiding filters:-

  8. Gareth Heyes writes:

    That link translates to:-

    I know it’s on the about:blank document but still I found it interesting.

  9. Stefan Esser writes:

    Ehmm I wonder what you are actually trying todo with your example.

    It seems for me to work in both IE7 and latest FF

  10. Gareth Heyes writes:

    Hi Stefan I just thought IE7 and now it appears Firefox has some odd behavior. In that it allows you to directly insert html or javascript code through the url without document.write.

    I noticed it when I was testing the PHPIDS for code injection. I’m not sure if it is really a problem or not because you have to use javascript: anyway.

  11. Christian Wenz writes:

    many people stumble upon that when they try something like and get an output like [window object] instead. And as Stefan already said, all browsers do that (starting from Netscape 2) πŸ˜‰

  12. Christian Wenz writes:

    aah, the link I wanted to post was this one:

    [a href=”javas*removethis*…)”]

  13. sirdarckcat writes:


    I also think it’s not a bug.. the javascript URI will output the response of the function to the document, it is the desired behaivor, and iin that I base JaSiLDBG (



    The anything:something:whatever: think is because they are valid labels:


  14. Gareth Heyes writes:

    Yeah I agree it’s not a bug but it is quite interesting way to avoid filters as my example in comment 7.

    The : thing is quite interesting too because you can directly call a function in the url without using () again another thing to be aware of when developing html/javascript filters.

    Thanks everyone!

  15. JD writes:

    it’s been round and used for a long time *EDITED (Nice Try) lol*