Firefox weird javascript execution

I’ve been reading sla.ckers quite a lot recently and I found a interesting topic on there were rsnake describes Firefox strange Javascript execution vectors which I wasn’t aware of. I thought I’d share them with everyone because I’m sure you’ll find them of interest.

1. First off there’s the double // which allows you to specify a domain name without using http:// etc example:-
<a href=”//”>Test</a>

2. You can also use a / to replace a space e.g. <body/s/onload=x={doc:parent.document};x.doc.writeln(1) which will execute in Firefox despite the incomplete tag and no spaces.

3. This is just silly :-

I think Firefox should only allow valid HTML markup before trying to execute Javascript. There are many more similar problems such as the invalid comment string which I’m sure everyone is aware of. Scary stuff.

10 Responses to “Firefox weird javascript execution”

  1. steve writes:


    Just reading your message options… do I read correctly that you support JavaScript in the comments?… this sounds dangerous…

    alert(‘Script should not be allowed in comments.’);


  2. Gareth Heyes writes:

    Hi Steve

    No you read incorrectly I support syntax colouring but nice try lol.

    < ?php
    echo 'example';
  3. Ronald van den Heetk writes:

    Hi Gareth,

    Yes they help out a lot of sloppy coders, they’ve managed to write some insanely good RegExes to interpret what you mean by writing that gibberish. Incredible isn’t it? I’ve had a couple of vectors myself that were just mind blowing and still worked. I think we all can agree on whitelisting now! 😉

  4. steve writes:

    Definately strange… when you consider what the double slash in JavaScript terms is…

    <a href=”javascript:doThis();//dontDoThis();”>Click me</a>

    doThis should run, dontDoThis is commented out…

    Glad to hear this doesn’t work on IE though… or I’m sure there would be a horrid script on the loose. 😉

  5. Gareth Heyes writes:

    Whitelisting is the only way to go Ronald, there’s just so much that is possible. I think although you can be clever with RegExps someday you’ll get burned.

  6. Gareth Heyes writes:

    Steve yeah there’s some strange stuff with commenting too, Firefox doesn’t handle comments correctly and IE renders some pretty insane stuff too.

    The browsers should all adopt a strict standard which doesn’t allow this rubbish to get through because it’s only a matter of time before the next Myspace/Wordpress/Enter any site here worm gets loose on the internet.

  7. Lars Gunther writes:

    It looks like Firefox is actually honoring the SGML parsing rules! Weird for the average user and totally unusable. Thank goodness HTML 5 will remove the pretense that HTML is an SGML application.

  8. Gareth Heyes writes:

    I’d just like to say that the PHPIDS protects against even the attack mentioned in the post. Which I found quite impressive, the project is open source and they’re not paying me to say they’re good either honest but I’ll give credit were credit is due and criticism were criticism is due, you know me 😉
    Get involved with their project

  9. Brad Shuttleworth writes:

    Actually – that first one is a valid HREF in terms of the rfcs – means “use the same scheme as this location, but change the other options”.

    Mucked me around when I ran into it while writing a rewriting-proxy… you can see it used on’s links.

  10. Gareth Heyes writes:

    Hmmmm interesting Brad thanks I didn’t know that.