Comments on: Firefox weird javascript execution http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/ A tool for designers dealing with programmers dealing with designers... Thu, 20 Nov 2008 21:26:27 +0000 http://wordpress.org/?v=2.6.2 By: Gareth Heyes http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-395 Gareth Heyes Thu, 16 Aug 2007 19:56:52 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-395 Hmmmm interesting Brad thanks I didn't know that. Hmmmm interesting Brad thanks I didn’t know that.

]]> By: Brad Shuttleworth http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-394 Brad Shuttleworth Thu, 16 Aug 2007 19:02:26 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-394 Actually - that first one is a valid HREF in terms of the rfcs - means "use the same scheme as this location, but change the other options". Mucked me around when I ran into it while writing a rewriting-proxy... you can see it used on slashdot.org's links. Actually - that first one is a valid HREF in terms of the rfcs - means “use the same scheme as this location, but change the other options”.

Mucked me around when I ran into it while writing a rewriting-proxy… you can see it used on slashdot.org’s links.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-369 Gareth Heyes Tue, 14 Aug 2007 08:44:09 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-369 I'd just like to say that the PHPIDS protects against even the attack mentioned in the post. Which I found quite impressive, the project is open source and they're not paying me to say they're good either honest but I'll give credit were credit is due and criticism were criticism is due, you know me ;) <a href="http://php-ids.org/" rel="nofollow">Get involved with their project</a> I’d just like to say that the PHPIDS protects against even the attack mentioned in the post. Which I found quite impressive, the project is open source and they’re not paying me to say they’re good either honest but I’ll give credit were credit is due and criticism were criticism is due, you know me ;)
Get involved with their project

]]> By: Lars Gunther http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-368 Lars Gunther Tue, 14 Aug 2007 01:02:53 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-368 It looks like Firefox is actually honoring the SGML parsing rules! Weird for the average user and totally unusable. Thank goodness HTML 5 will remove the pretense that HTML is an SGML application. It looks like Firefox is actually honoring the SGML parsing rules! Weird for the average user and totally unusable. Thank goodness HTML 5 will remove the pretense that HTML is an SGML application.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-366 Gareth Heyes Mon, 13 Aug 2007 20:49:19 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-366 Steve yeah there's some strange stuff with commenting too, Firefox doesn't handle comments correctly and IE renders some pretty insane stuff too. The browsers should all adopt a strict standard which doesn't allow this rubbish to get through because it's only a matter of time before the next Myspace/Wordpress/Enter any site here worm gets loose on the internet. Steve yeah there’s some strange stuff with commenting too, Firefox doesn’t handle comments correctly and IE renders some pretty insane stuff too.

The browsers should all adopt a strict standard which doesn’t allow this rubbish to get through because it’s only a matter of time before the next Myspace/Wordpress/Enter any site here worm gets loose on the internet.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-365 Gareth Heyes Mon, 13 Aug 2007 20:46:24 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-365 Whitelisting is the only way to go Ronald, there's just so much that is possible. I think although you can be clever with RegExps someday you'll get burned. Whitelisting is the only way to go Ronald, there’s just so much that is possible. I think although you can be clever with RegExps someday you’ll get burned.

]]> By: steve http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-363 steve Mon, 13 Aug 2007 20:28:17 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-363 Definately strange... when you consider what the double slash in JavaScript terms is... <a href="javascript:doThis();//dontDoThis();">Click me</a> doThis should run, dontDoThis is commented out... Glad to hear this doesn't work on IE though... or I'm sure there would be a horrid script on the loose. ;-) Definately strange… when you consider what the double slash in JavaScript terms is…

<a href=”javascript:doThis();//dontDoThis();”>Click me</a>

doThis should run, dontDoThis is commented out…

Glad to hear this doesn’t work on IE though… or I’m sure there would be a horrid script on the loose. ;-)

]]> By: Ronald van den Heetk http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-362 Ronald van den Heetk Mon, 13 Aug 2007 20:19:39 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-362 Hi Gareth, Yes they help out a lot of sloppy coders, they've managed to write some insanely good RegExes to interpret what you mean by writing that gibberish. Incredible isn't it? I've had a couple of vectors myself that were just mind blowing and still worked. I think we all can agree on whitelisting now! ;) Hi Gareth,

Yes they help out a lot of sloppy coders, they’ve managed to write some insanely good RegExes to interpret what you mean by writing that gibberish. Incredible isn’t it? I’ve had a couple of vectors myself that were just mind blowing and still worked. I think we all can agree on whitelisting now! ;)

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-361 Gareth Heyes Mon, 13 Aug 2007 19:47:10 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-361 Hi Steve No you read incorrectly I support syntax colouring but nice try lol. <pre lang="php"> <?php echo 'example'; ?> </pre> Hi Steve

No you read incorrectly I support syntax colouring but nice try lol.

<?php
echo 'example';
?>
]]> By: steve http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-360 steve Mon, 13 Aug 2007 18:52:39 +0000 http://www.thespanner.co.uk/2007/08/13/firefox-weird-javascript-execution/#comment-360 Interesting... Just reading your message options... do I read correctly that you support JavaScript in the comments?... this sounds dangerous... alert('Script should not be allowed in comments.'); cheers steve Interesting…

Just reading your message options… do I read correctly that you support JavaScript in the comments?… this sounds dangerous…

alert(’Script should not be allowed in comments.’);

cheers
steve

]]>