Favorite Files

No favorite files added yet

Recent Posts

1. Comment - Cross-Site Scripting Worm Hits MySpace

   (Oct 14, 2005 - 10:16 AM)

   Blech, now betanews can't parse my post properly and I cant edit it to say what it's meant to. Here's a reply with what I meant to say (guess I'll have to avoid any tags in case it ****s up again).
   
   MySpace blocks JavaScript and Script tags so that you can't slap in some bad code.
   Samy used a CSS tag, then instead of using CSS stuff, simply put in half the JavaScript tag on one line, and the other half on the next line.
   This should not be parsed as javascript code, it should be parsed as invalid CSS code, but since IE likes broken code, it will go ahead and execute it anyway.
   So any users who are on IE will be affected by this. It's not really a bug in MySpace, more like a bug in IE will can be exploited on MySpace.

2. Comment - Cross-Site Scripting Worm Hits MySpace

   (Oct 14, 2005 - 10:07 AM)

   I've never visited the site, but the article says MySpace blocks the word JavaScript so that you can't slap in some code.
   I'm assuming that 'Samy' used (for example) "" followed by the vunerability code. Possibly IE is the only browser (wouldn't surprise me, but I hate IE so much I'm not even going to test it out) which will see this as an actual script tag and execute it. This way, MySpace is blocking the javascript tag, but IE's bad parsing will mean it is executed anyway.
   Just a guess.