--- Steven Champeon <schampeo (at) hesketh (dot) com [email concealed]> schrieb:
> I think you missed the point. He's actually just
> inserting ill-formed
> markup into the document flow and the browsers do
> react in the ways he
> described to such markup. As such, the problem
> exists. Calling out moron
> Web designers doesn't help much here. In HTML 3.2
> and 4.0, for example,
> an open TD tag is required, so when non-markup text
> follows a start TR
> tag, the browser doesn't know how to deal with that
> text and places it
> out of the table's document flow, which has the
> result of throwing it
> further up the page, outside /and preceding/ the
> table in which it was
> found. This is a well-known problem to Web designers
> (who used to use it
> to troubleshoot complex table-based page layouts),
> but it doesn't
> mitigate its importance to those concerned with
> preventing XSS.
>
> Steve
I didn't miss the point. He's actually just inserting
malformed data that the browser doesn't know what to
do with. Isn't that what I said? I only intended to
point out what the problem really was. It's not
injecting scripts to run under Yahoo's priveledges, no
information is passed to a third party, and either
some very simple social engineering or a real XSS vuln
would need to be employed to pass any information.
Calling out moron web devers is useless, I agree. But
it's just as pointless as pointing out that
incorrectly using tags is a way of troubleshooting. I
had a point with the original statement, but it
escapes me.
Anyway, a solution is really quite simple. Allow users
to disable HTML in their email, or why not by default?
- Will Wesley, BSCS
http://wieso.blogdrive.com
___________________________________________________________
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de
--- Steven Champeon <schampeo (at) hesketh (dot) com [email concealed]> schrieb:
> I think you missed the point. He's actually just
> inserting ill-formed
> markup into the document flow and the browsers do
> react in the ways he
> described to such markup. As such, the problem
> exists. Calling out moron
> Web designers doesn't help much here. In HTML 3.2
> and 4.0, for example,
> an open TD tag is required, so when non-markup text
> follows a start TR
> tag, the browser doesn't know how to deal with that
> text and places it
> out of the table's document flow, which has the
> result of throwing it
> further up the page, outside /and preceding/ the
> table in which it was
> found. This is a well-known problem to Web designers
> (who used to use it
> to troubleshoot complex table-based page layouts),
> but it doesn't
> mitigate its importance to those concerned with
> preventing XSS.
>
> Steve
I didn't miss the point. He's actually just inserting
malformed data that the browser doesn't know what to
do with. Isn't that what I said? I only intended to
point out what the problem really was. It's not
injecting scripts to run under Yahoo's priveledges, no
information is passed to a third party, and either
some very simple social engineering or a real XSS vuln
would need to be employed to pass any information.
Calling out moron web devers is useless, I agree. But
it's just as pointless as pointing out that
incorrectly using tags is a way of troubleshooting. I
had a point with the original statement, but it
escapes me.
Anyway, a solution is really quite simple. Allow users
to disable HTML in their email, or why not by default?
- Will Wesley, BSCS
http://wieso.blogdrive.com
___________________________________________________________
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de
[ reply ]