=/= IE6 script dzokeri =/=
_ 2007-07-03 16:51:59 _

Ne ponovo, IE6 ima novootkrivenu opciju dodavanja script taga uz pomoc dzokera.
Da ne bi duzio iskopiracu email u kojem je sve objasnjeno:

There are some characteristics in internet explorer that could aid
attackers when doing XSS attacks. 

In IExplorer:

??script:

and

???script:

are translated to vbscript:
so, for example:

MYscript:msgbox("hi")

or

YOUscript:msgbox("hi")

will be treated as:

vbscript:msgbox("hi")

and anything with:

????script:

will be treated as:

javascript:

so..

somescript:alert("hi");

will be treated as:

javascript:alert("hi");

Prosto neverovatno da je nesto ovako dozvoljeno, IE7 nije ranjiv ali ova
osobina moze da se iskoristi za nove tipove XSS napada koji ce zaobici mnogo
zastita, ukoliko korisnik koristi IE6. 

Zasluge idu: SirDarckCat.