dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
share rss forum feed


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

reply to therube

Re: Universal XSS in Opera

said by therube:

... It is more that you were "displayed" a page representative of Wikipedia's log-in page.
(And it probably works too?)

If it were Wikipedia, javascript:alert(document.domain) would have said so.
...

Your first sentence is correct. The red Opera badge does appear to the left of the Wikipedia "page" address (indicating it was not a webpage accessed in a normal browser manner). Frankly, I paid little attention to the Wiki "page" itself or any badging initially, in my eagerness to get your text entered correctly into the address box after it appeared, and because I was instead looking for some kind of Javascript alert box to appear - which it did, when I entered the text. Needless to say, I was looking for the wrong thing. (Not the first time... and probably not the last )

So... whatever you set up at tinyurl does create the appearance of a Wiki "page" in Opera, although Opera badges it as an internal-created browser display (the data URI behavior). In playing around to see what the Wiki "page" would do if I tried to log in, it immediately coughed up more of the JavaScript alert boxes no matter what I attempted to enter. Also, clicking on any links on the "page" resulted in an Opera error message about "unsupported address type."
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775
Expand your moderator at work