dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed

Built for Speed
Fort Wayne, IN
·Frontier Communi..

1 recommendation

reply to therube

Re: Universal XSS in Opera

said by therube:

... It is more that you were "displayed" a page representative of Wikipedia's log-in page.
(And it probably works too?)

If it were Wikipedia, javascript:alert(document.domain) would have said so.

Your first sentence is correct. The red Opera badge does appear to the left of the Wikipedia "page" address (indicating it was not a webpage accessed in a normal browser manner). Frankly, I paid little attention to the Wiki "page" itself or any badging initially, in my eagerness to get your text entered correctly into the address box after it appeared, and because I was instead looking for some kind of Javascript alert box to appear - which it did, when I entered the text. Needless to say, I was looking for the wrong thing. (Not the first time... and probably not the last )

So... whatever you set up at tinyurl does create the appearance of a Wiki "page" in Opera, although Opera badges it as an internal-created browser display (the data URI behavior). In playing around to see what the Wiki "page" would do if I tried to log in, it immediately coughed up more of the JavaScript alert boxes no matter what I attempted to enter. Also, clicking on any links on the "page" resulted in an Opera error message about "unsupported address type."
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775
Expand your moderator at work