Thou art so tolerant

Web browsers are quite helpful: If you are a web-designer and you don't produce (X)HTML compliant pages, they will be rendered correctly anyway, because they quite fault-tolerant. But there are some features in some browsers that are questionable, here are some advanced examples:

  • Even though this file has a strange extension, IE will interpret the JavaScript inside:
  • IE guesses the protocol you wanted to use, so try to enter this link: somescript:alert("hi");
    See here for more examples of that. It seems that a simple link to this doesn't work, but with a few tricks you can execute it:
    <a ONclicK=` ;; morescript:alert(String.fromCharCode(88,83,83))` xhref='#'>TEST</a>
  • The last example actually contains another trick to hide malicious code: the onclick event is used with backticks `
  • Do you know the data protocol of Firefox, you can hide JavaScript in it, you can even base64 encode it, try this link: data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

Older tricks can be found in the XSS Cheat Sheet