--- Steven Champeon <schampeo@xxxxxxxxxxx> schrieb: > I think you missed the point. He's actually just > inserting ill-formed > markup into the document flow and the browsers do > react in the ways he > described to such markup. As such, the problem > exists. Calling out moron > Web designers doesn't help much here. In HTML 3.2 > and 4.0, for example, > an open TD tag is required, so when non-markup text > follows a start TR > tag, the browser doesn't know how to deal with that > text and places it > out of the table's document flow, which has the > result of throwing it > further up the page, outside /and preceding/ the > table in which it was > found. This is a well-known problem to Web designers > (who used to use it > to troubleshoot complex table-based page layouts), > but it doesn't > mitigate its importance to those concerned with > preventing XSS. > > Steve I didn't miss the point. He's actually just inserting malformed data that the browser doesn't know what to do with. Isn't that what I said? I only intended to point out what the problem really was. It's not injecting scripts to run under Yahoo's priveledges, no information is passed to a third party, and either some very simple social engineering or a real XSS vuln would need to be employed to pass any information. Calling out moron web devers is useless, I agree. But it's just as pointless as pointing out that incorrectly using tags is a way of troubleshooting. I had a point with the original statement, but it escapes me. Anyway, a solution is really quite simple. Allow users to disable HTML in their email, or why not by default? - Will Wesley, BSCS http://wieso.blogdrive.com ___________________________________________________________ Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de