W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [WARP] Comments to WARP spec

From: Robin Berjon <robin@berjon.com>
Date: Wed, 18 Nov 2009 18:36:42 +0100
Cc: WebApps WG <public-webapps@w3.org>
Message-Id: <B41E9CAD-DDDE-40DB-8E28-B56B0753BC43@berjon.com>
To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Hi Marcin,

On Nov 18, 2009, at 14:37 , Marcin Hanclik wrote:
>>> One could request an
>>> image that is redirected to http://address/of/image?put+a+complete+script+here
>>> and then evaluate the query.
> Ok, but then it will still be processed as image and will result in an invalid image, I think.

Not so. Consider the following piece of Perl:

#!/usr/bin/perl
print "Location: img.png?alert('I am evil!')\n\n";

And the following HTML:

<!DOCTYPE html>
<iframe src='img.pl' id='pl'></iframe>
<script>
  window.onload = function () {
      eval(unescape(document.getElementById("pl").contentDocument.location.search.substring(1)));
  }
</script>

This produces the expected alert. No script was ever exchanged, and I get the image to display perfectly fine.

-- 
Robin Berjon - http://berjon.com/
Received on Wednesday, 18 November 2009 17:37:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT