- From: Giovanni Campagna <scampa.giovanni@gmail.com>
- Date: Fri, 19 Jun 2009 13:40:07 +0200
2009/6/19 Kristof Zelechovski <giecrilj at stegny.2a.pl>:
> You can easily include a cross-domain script using a cross-domain DTD; just
> attach the malware as
>
> <!ATTLIST body onload CDATA ?{ sniper.shoot(); }? >
>
> and hope for the worst.
>
> Chris
You need to own the external subset, though, in order to add that
<!ATTLIST>. It is like saying that shared JS libraries are dangerous
because you import code from other sources.
Giovanni
Received on Friday, 19 June 2009 04:40:07 UTC