- From: Robin Berjon <robin@berjon.com>
- Date: Wed, 18 Nov 2009 18:36:42 +0100
- To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
- Cc: WebApps WG <public-webapps@w3.org>
Hi Marcin,
On Nov 18, 2009, at 14:37 , Marcin Hanclik wrote:
>>> One could request an
>>> image that is redirected to http://address/of/image?put+a+complete+script+here
>>> and then evaluate the query.
> Ok, but then it will still be processed as image and will result in an invalid image, I think.
Not so. Consider the following piece of Perl:
#!/usr/bin/perl
print "Location: img.png?alert('I am evil!')\n\n";
And the following HTML:
<!DOCTYPE html>
<iframe src='img.pl' id='pl'></iframe>
<script>
window.onload = function () {
eval(unescape(document.getElementById("pl").contentDocument.location.search.substring(1)));
}
</script>
This produces the expected alert. No script was ever exchanged, and I get the image to display perfectly fine.
--
Robin Berjon - http://berjon.com/
Received on Wednesday, 18 November 2009 17:37:11 UTC