What's new? | Help | Directory | Sign in
Google
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
Search
for
Updated Nov 01, 2007 by mikesamuel
Labels: Attack-Vector
EventHandlersEvalWithDom  

Reported by Gareth

Event handlers execute in a scope that binds globals to DOM Properties

Effect

A DOM node may be manipulated by global assignment in a way that could execute unsanitized javascript.

Background

DOM Level 2 defines event handlers to allow scripts to fire when an OS event occurs in the context of a node.

These handlers are typically snippets of javascript that execute in an environment that provides access to the event being handled, and bind this to the DOM node.

Some browsers also provide global bindings for DOM node fields.

Assumptions

DOM event handlers are allowed and execute in the normal scope and global assignment is allowed.

Versions

IE

Example

<a onclick="URL=name" name="javascript:alert('hello')">clicky</a>

Sign in to add a comment