Comments for The Spanner http://www.thespanner.co.uk A tool for designers dealing with programmers dealing with designers... Tue, 16 Mar 2010 17:45:45 +0000 http://wordpress.org/?v=2.6.2 Comment on Inline UTF-7 E4X javascript hijacking by Gareth Heyes http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1705 Gareth Heyes Tue, 02 Mar 2010 22:00:47 +0000 http://www.thespanner.co.uk/?p=361#comment-1705 @Eli Interesting the E4X spec says this shouldn't be possible, have you got a POC? Anyway it's possible to get the rest of the doc using setTimeout and assigning the remaining HTML to a E4X variable @Eli

Interesting the E4X spec says this shouldn’t be possible, have you got a POC?

Anyway it’s possible to get the rest of the doc using setTimeout and assigning the remaining HTML to a E4X variable

]]> Comment on Inline UTF-7 E4X javascript hijacking by Eli Grey http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1704 Eli Grey Tue, 02 Mar 2010 21:50:12 +0000 http://www.thespanner.co.uk/?p=361#comment-1704 You can hijack the rest of the XML by defining a setter on XML.prototype. Then you could do xml.function::hijack = rest-of-the-xml. You can hijack the rest of the XML by defining a setter on XML.prototype. Then you could do xml.function::hijack = rest-of-the-xml.

]]> Comment on SpamBam! by بلياردو http://www.thespanner.co.uk/2007/02/12/spambam/#comment-1700 بلياردو Fri, 19 Feb 2010 23:24:14 +0000 http://www.thespanner.co.uk/2007/02/12/spambam/#comment-1700 WordPress оченьхорошо защищает от спама, за что ему огромное спасибо WordPress оченьхорошо защищает от спама, за что ему огромное спасибо

]]> Comment on Detecting browsers javascript hacks by Gareth Heyes http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/#comment-1698 Gareth Heyes Thu, 18 Feb 2010 22:09:53 +0000 http://www.thespanner.co.uk/?p=340#comment-1698 @noob Yeah probably a typo nobody is perfect :) @noob

Yeah probably a typo nobody is perfect :)

]]> Comment on Detecting browsers javascript hacks by noob http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/#comment-1697 noob Thu, 18 Feb 2010 17:53:04 +0000 http://www.thespanner.co.uk/?p=340#comment-1697 i was wondering why are you using ((/a/.toString+'')) instead of (/a/.toString+'') ? i was wondering why are you using ((/a/.toString+”)) instead of (/a/.toString+”) ?

]]> Comment on The safety net by Gareth Heyes http://www.thespanner.co.uk/2010/02/04/the-safety-net/#comment-1695 Gareth Heyes Mon, 15 Feb 2010 08:07:52 +0000 http://www.thespanner.co.uk/?p=586#comment-1695 @Robert The idea would be to only enable the SN when a specific action is taken like clicking on a link that takes you to a external web site, the SN is decided depending on the meta or http header of the parent site. For example twitter should have a meta identify as Social Network. This would allow sites to function as normal but prevent exploitation by limiting the user's "first click" @Robert

The idea would be to only enable the SN when a specific action is taken like clicking on a link that takes you to a external web site, the SN is decided depending on the meta or http header of the parent site. For example twitter should have a meta identify as Social Network.

This would allow sites to function as normal but prevent exploitation by limiting the user’s “first click”

]]> Comment on The safety net by Robert Jakobson http://www.thespanner.co.uk/2010/02/04/the-safety-net/#comment-1694 Robert Jakobson Mon, 15 Feb 2010 05:32:12 +0000 http://www.thespanner.co.uk/?p=586#comment-1694 This is exactly what the web needs, I dare say I have thought of something of this kind myself, however there is the question of how this would fit the kind of old "new trend" of having the user manipulating their own data ( or data of their friends / etc .. ) from one application inside another ? Therefore, there should be an ability to have a list of outside inputs or URL-s which are "trusted" and "accepted" sources in the context of any concrete safety net. This is exactly what the web needs, I dare say I have thought of something of this kind myself, however there is the question of how this would fit the kind of old “new trend” of having the user manipulating their own data ( or data of their friends / etc .. ) from one application inside another ?

Therefore, there should be an ability to have a list of outside inputs or URL-s which are “trusted” and “accepted” sources in the context of any concrete safety net.

]]> Comment on Detecting browsers javascript hacks by Gareth Heyes http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/#comment-1691 Gareth Heyes Tue, 09 Feb 2010 14:13:47 +0000 http://www.thespanner.co.uk/?p=340#comment-1691 @superhei Yep Mozilla decided this was a security issue when I reported it so these techniques can no longer be expected to work in later versions of Firefox @superhei

Yep Mozilla decided this was a security issue when I reported it so these techniques can no longer be expected to work in later versions of Firefox

]]> Comment on Detecting browsers javascript hacks by superhei http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/#comment-1690 superhei Tue, 09 Feb 2010 14:10:56 +0000 http://www.thespanner.co.uk/?p=340#comment-1690 /a/[-1]=='a' isn't work on firefox3.6 /a/[-1]==’a’ isn’t work on firefox3.6

]]> Comment on Facebook sandbox escape by gfy http://www.thespanner.co.uk/2010/01/29/facebook-sandbox-escape/#comment-1688 gfy Sat, 30 Jan 2010 12:01:56 +0000 http://www.thespanner.co.uk/?p=580#comment-1688 "The vector has now been fixed by Facebook." RAT “The vector has now been fixed by Facebook.”

RAT

]]>