No. Not from the title. See my examination above.The image tag starts from here < img alt="<script>alert("Ciao ");</script> and ends hereOpen your test page and inspect it with DOM Inspector for details.
My guess (from the code, not the text) is that the author is saying that tools that sanitize somebody else's untrusted HTML can have script let through into their sites this way. However, that's not a bug in Firefox -- that's a broken sanitizer -- since the sanitizer shouldn't be allowing quotation marks inside attribute values. The alt attribute ends at the second quote (the parentheses don't mean anything), so the image tag ends at the first >, and then there is a script element following.
Not really a bug, more of an common issue with parsing in general. There is no easy way for the parser to figure out which tokens, in this case quotes, match since it could just as well be meant to be that way. It is the same issue that allows for sql injection.It works in any browser and any tag. You just close the image tag (i.e ">) and add your script afterward. The actual closing characters are then just treated as text.<img src="foo.gif" alt=""><script>alert("bar");</script>">
illynovaMar 18, 2006
Wow, maybe if it was in english we could actually understand it
Closed AccountMar 18, 2006
A better version that actually shows the image<img style="display: none;" alt="<script>"</script><script>alert("Hello");</script><img src="<a class="user" href="http://www.google.it/images/logo_sm.gif">http://www.google.it/images/logo_sm.gif</a>" border="0">
Closed AccountMar 18, 2006
Now I feel stupid... ignore everything I posted
andr3aMar 18, 2006Submitter
Not a bug? Why?The script executed from the title and alt tag
loucypherMar 18, 2006
No. Not from the title. See my examination above.The image tag starts from here < img alt="<script>alert("Ciao ");</script> and ends hereOpen your test page and inspect it with DOM Inspector for details.
andr3aMar 18, 2006Submitter
But is a bug, not?
dbaronMar 18, 2006
My guess (from the code, not the text) is that the author is saying that tools that sanitize somebody else's untrusted HTML can have script let through into their sites this way. However, that's not a bug in Firefox -- that's a broken sanitizer -- since the sanitizer shouldn't be allowing quotation marks inside attribute values. The alt attribute ends at the second quote (the parentheses don't mean anything), so the image tag ends at the first >, and then there is a script element following.
Closed AccountMar 18, 2006
Not really a bug, more of an common issue with parsing in general. There is no easy way for the parser to figure out which tokens, in this case quotes, match since it could just as well be meant to be that way. It is the same issue that allows for sql injection.It works in any browser and any tag. You just close the image tag (i.e ">) and add your script afterward. The actual closing characters are then just treated as text.<img src="foo.gif" alt=""><script>alert("bar");</script>">
andrewdrawJan 3, 2008
<a class="user" href="http://winamp-4you.blogspot.com/">http://winamp-4you.blogspot.com/</a> <a class="user" href="http://mix-dj-sound-4you.blogspot.com/">http://mix-dj-sound-4you.blogspot.com/</a> <a class="user" href="http://maple-free-4you.blogspot.com">http://maple-free-4you.blogspot.com</a> <a class="user" href="http://exclusive-mp3-4dj.blogspot.com/">http://exclusive-mp3-4dj.blogspot.com/</a> <a class="user" href="http://mp3-pop-music.blogspot.com/">http://mp3-pop-music.blogspot.com/</a> <a class="user" href="http://help-depresssion.blogspot.com/">http://help-depresssion.blogspot.com/</a> <a class="user" href="http://mp3-4you.blogspot.com/">http://mp3-4you.blogspot.com/</a> try find on this site!