IE7 javascript echo
Friday, 3 August 2007
This is a strange one, I’ve no clue why IE7 does this but it appears to execute and echo javascript using multiple :
Check it out:
Echo javascript
Javascript blog with messed up syntax inside
Friday, 3 August 2007
This is a strange one, I’ve no clue why IE7 does this but it appears to execute and echo javascript using multiple :
Check it out:
Echo javascript
No. 1 — August 3rd, 2007 at 12:46 pm
Yep – very bizarre. I was already wondering when updating the xssDB with your vectors seeing the javascript:alert: variant.
So IE7 allows functions to be called with name:param in general?
No. 2 — August 3rd, 2007 at 12:54 pm
It appears so yes, this could be dangerous but I haven’t really thought about it.
I think IE7 allows you to overwrite the document but still retain the properties, I’m a bit tired today so I can’t quite get my head round it π
No. 3 — August 3rd, 2007 at 1:00 pm
this is a standard behavior, not a bug. The last operand is taken as output of the expression. for example:
javascript:4+4
will result to 8
but:
javascript:4+4;void(0)
results to nothing.
This is how you can generate HTML via JavaScript… it is like the data protocol.
javascript:’Check out’
simple! π
No. 4 — August 3rd, 2007 at 1:05 pm
@pdp
I still think it’s a bug:-
javascript:'<script>alert(1)</script>’
No. 5 — August 3rd, 2007 at 1:07 pm
You can see were I’m going with that.
Or am I just tired? I was up late, I suppose once you’ve got javascript: you’ve got the document anyway. It is a different way of accessing the document though to avoid filters.
No. 6 — August 3rd, 2007 at 1:35 pm
nope π it is not a bug. as I said the content will be rendered as html. You are still in about:blank! I think that I discussed thihs somewhere on GC.
No. 7 — August 3rd, 2007 at 2:17 pm
Ok pdp I believe you π
But hey look at what can do, good for avoiding filters:-
Test
No. 8 — August 3rd, 2007 at 2:36 pm
That link translates to:-
javascript:'<script>alert(1)</script>’
I know it’s on the about:blank document but still I found it interesting.
No. 9 — August 3rd, 2007 at 2:39 pm
Ehmm I wonder what you are actually trying todo with your example.
It seems for me to work in both IE7 and latest FF
No. 10 — August 3rd, 2007 at 2:56 pm
Hi Stefan I just thought IE7 and now it appears Firefox has some odd behavior. In that it allows you to directly insert html or javascript code through the url without document.write.
I noticed it when I was testing the PHPIDS for code injection. I’m not sure if it is really a problem or not because you have to use javascript: anyway.
No. 11 — August 4th, 2007 at 12:24 am
many people stumble upon that when they try something like and get an output like [window object] instead. And as Stefan already said, all browsers do that (starting from Netscape 2) π
No. 12 — August 4th, 2007 at 12:25 am
aah, the link I wanted to post was this one:
[a href=”javas*removethis*cript:window.open(…)”]
No. 13 — August 4th, 2007 at 7:39 am
Hi!
I also think it’s not a bug.. the javascript URI will output the response of the function to the document, it is the desired behaivor, and iin that I base JaSiLDBG (http://jasildbg.googlepages.com)..
π
javascript:anything:thisfunctionsdoesntexist:”;
The anything:something:whatever: think is because they are valid labels:
http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Statements:label
Greetz!!
No. 14 — August 4th, 2007 at 10:34 am
Yeah I agree it’s not a bug but it is quite interesting way to avoid filters as my example in comment 7.
The : thing is quite interesting too because you can directly call a function in the url without using () again another thing to be aware of when developing html/javascript filters.
Thanks everyone!
No. 15 — August 4th, 2007 at 8:14 pm
it’s been round and used for a long time *EDITED (Nice Try) lol*