This is a strange one, I’ve no clue why IE7 does this but it appears to execute and echo javascript using multiple :
Check it out:
Echo javascript
-
« Home
-
Categories
The Spanner
A tool for designers dealing with programmers dealing with designers…
Comments 15
Yep - very bizarre. I was already wondering when updating the xssDB with your vectors seeing the javascript:alert: variant.
So IE7 allows functions to be called with name:param in general?
Posted 03 Aug 2007 at 12:46 pm ¶It appears so yes, this could be dangerous but I haven’t really thought about it.
I think IE7 allows you to overwrite the document but still retain the properties, I’m a bit tired today so I can’t quite get my head round it
Posted 03 Aug 2007 at 12:54 pm ¶this is a standard behavior, not a bug. The last operand is taken as output of the expression. for example:
javascript:4+4
will result to 8
but:
javascript:4+4;void(0)
results to nothing.
This is how you can generate HTML via JavaScript… it is like the data protocol.
javascript:’Check out’
simple!
Posted 03 Aug 2007 at 1:00 pm ¶@pdp
I still think it’s a bug:-
Posted 03 Aug 2007 at 1:05 pm ¶javascript:’<script>alert(1)</script>’
You can see were I’m going with that.
Or am I just tired? I was up late, I suppose once you’ve got javascript: you’ve got the document anyway. It is a different way of accessing the document though to avoid filters.
Posted 03 Aug 2007 at 1:07 pm ¶nope
it is not a bug. as I said the content will be rendered as html. You are still in about:blank! I think that I discussed thihs somewhere on GC.
Posted 03 Aug 2007 at 1:35 pm ¶Ok pdp I believe you
But hey look at what can do, good for avoiding filters:-
Posted 03 Aug 2007 at 2:17 pm ¶Test
That link translates to:-
javascript:’<script>alert(1)</script>’
I know it’s on the about:blank document but still I found it interesting.
Posted 03 Aug 2007 at 2:36 pm ¶Ehmm I wonder what you are actually trying todo with your example.
It seems for me to work in both IE7 and latest FF
Posted 03 Aug 2007 at 2:39 pm ¶Hi Stefan I just thought IE7 and now it appears Firefox has some odd behavior. In that it allows you to directly insert html or javascript code through the url without document.write.
I noticed it when I was testing the PHPIDS for code injection. I’m not sure if it is really a problem or not because you have to use javascript: anyway.
Posted 03 Aug 2007 at 2:56 pm ¶many people stumble upon that when they try something like and get an output like [window object] instead. And as Stefan already said, all browsers do that (starting from Netscape 2)
Posted 04 Aug 2007 at 12:24 am ¶aah, the link I wanted to post was this one:
[a href="javas*removethis*cript:window.open(...)"]
Posted 04 Aug 2007 at 12:25 am ¶Hi!
I also think it’s not a bug.. the javascript URI will output the response of the function to the document, it is the desired behaivor, and iin that I base JaSiLDBG (http://jasildbg.googlepages.com)..
javascript:anything:thisfunctionsdoesntexist:”;
The anything:something:whatever: think is because they are valid labels:
http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Statements:label
Greetz!!
Posted 04 Aug 2007 at 7:39 am ¶Yeah I agree it’s not a bug but it is quite interesting way to avoid filters as my example in comment 7.
The : thing is quite interesting too because you can directly call a function in the url without using () again another thing to be aware of when developing html/javascript filters.
Thanks everyone!
Posted 04 Aug 2007 at 10:34 am ¶it’s been round and used for a long time *EDITED (Nice Try) lol*
Posted 04 Aug 2007 at 8:14 pm ¶Post a Comment