Makes sense as a trick to bypass some crappy XSS filters that look forstrings like "javascript:", but I don't think it's a vulnerability in itself. On Fri, Dec 16, 2011 at 5:20 PM, Jann Horn <jannhorn@xxxxxxxxxxxxxx> wrote: > > 2011/12/15 Bouke van Laethem <vanlaethem@xxxxxxxxx>: > > ISSUE: > > The <base> tag is parsed outside of <head></head>. This can lead to > > the base being reset, both before and after the <base> tag being > > injected, depending on browser types and versions. As a result, images > > and javascript can be loaded from an attackers domain, and forms and > > hyperlinks point to the attackers domain. > > Erm... so you're basically assumint that the attacker can inject stuff > into the page? If that's the case, you should have other issues than > your links getting altered or so, no? E.g. what about javascript > injection? -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”