- From: Simon Pieters <zcorpan@hotmail.com>
- Date: Fri, 08 Dec 2006 22:09:18 +0000
Hi,
From: Sander Tekelenburg <tekelenb@euronet.nl>
>Right. That's a window of opportunity (for the sort of attack I mentioned)
>I'm voicing concern about. I agree that it will likely be much harder when
>all browsers are HTML5-compliant and most authors produce HTML5. But before
>that?
Well... for the past 7-8 years it has been possible to use IE's conditional
comments to completely hide everything from non-IE browsers:
<!--[if IE]>
...page content...
<![endif]-->
Similarly, bugs in browsers' CSS implementation has made it possible to only
show the content for a single browser, e.g.:
body { display:none; }
* html body { display:block; }
I'm sure you can find bugs or features in every language supported by
browser vendors that allows for these kinds of attacks, and has been
possible for years. If it hasn't happened as of now, why do you think it
will happen in the next few years? Does it matter if it is HTML parsing that
is exploited or some other technology?
Regards,
Simon Pieters
_________________________________________________________________
J?mf?r priser p? plasmateve http://pricerunner.msn.se/
Received on Friday, 8 December 2006 14:09:18 UTC