W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [WARP] Comments to WARP spec

From: Robin Berjon <robin@berjon.com>
Date: Wed, 18 Nov 2009 18:36:42 +0100
Cc: WebApps WG <public-webapps@w3.org>
Message-Id: <B41E9CAD-DDDE-40DB-8E28-B56B0753BC43@berjon.com>
To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Hi Marcin,

On Nov 18, 2009, at 14:37 , Marcin Hanclik wrote:
>>> One could request an
>>> image that is redirected to http://address/of/image?put+a+complete+script+here
>>> and then evaluate the query.
> Ok, but then it will still be processed as image and will result in an invalid image, I think.

Not so. Consider the following piece of Perl:

print "Location: img.png?alert('I am evil!')\n\n";

And the following HTML:

<!DOCTYPE html>
<iframe src='img.pl' id='pl'></iframe>
  window.onload = function () {

This produces the expected alert. No script was ever exchanged, and I get the image to display perfectly fine.

Robin Berjon - http://berjon.com/
Received on Wednesday, 18 November 2009 17:37:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 13:55:30 UTC