--- Steven Champeon <schampeo@hesketh.com> schrieb:
I think you missed the point. He's actually just
inserting ill-formed
markup into the document flow and the browsers do
react in the ways he
described to such markup. As such, the problem
exists. Calling out moron
Web designers doesn't help much here. In HTML 3.2
and 4.0, for example,
an open TD tag is required, so when non-markup text
follows a start TR
tag, the browser doesn't know how to deal with that
text and places it
out of the table's document flow, which has the
result of throwing it
further up the page, outside /and preceding/ the
table in which it was
found. This is a well-known problem to Web designers
(who used to use it
to troubleshoot complex table-based page layouts),
but it doesn't
mitigate its importance to those concerned with
preventing XSS.
Steve
I didn't miss the point. He's actually just inserting
malformed data that the browser doesn't know what to
do with. Isn't that what I said? I only intended to
point out what the problem really was. It's not
injecting scripts to run under Yahoo's priveledges, no
information is passed to a third party, and either
some very simple social engineering or a real XSS vuln
would need to be employed to pass any information.
Calling out moron web devers is useless, I agree. But
it's just as pointless as pointing out that
incorrectly using tags is a way of troubleshooting. I
had a point with the original statement, but it
escapes me.
Anyway, a solution is really quite simple. Allow users
to disable HTML in their email, or why not by default?
- Will Wesley, BSCS
http://wieso.blogdrive.com
___________________________________________________________
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden:
http://mail.yahoo.de
