Hello bugtraq, Title: Bypassing JavaScript filters Service: Anonymizer, maybe similar services Description: Anonymizer offers free and commercial services that allow to browse web safely. Since JavaScript can be dangerous, all script blocks and events are cut from html. Problem N3: Maybe you remember the problem I've reported in 2001 - JavaScript code could be executed after parsing the html by Anonymizer. The same principle of "JavaScript inside JavaScript" gave me the working example of redirecting Anonymizer users recently. Demo is available as Test N3 at http://anon.free.anonymizer.com/http://tools-on.net/you.shtml The part of the code before parsing: onLoad="onLoad="document.cookie='rw=; expires=Thu, 01-Jan-1970 onLoad="location='unprotected_location';" The same code after parsing: onLoad="location='unprotected_location';" Errors generated for visitors without Anonymizer are suppressed by window.onError handler. Problem status: Anonymizer has been contacted and patched already. Best regards, Alexander ----------------------------------------------------------------------- MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000 http://leader.ru http://tools-on.net (Security & Privacy on the Net) -----------------------------------------------------------------------
