![]() To perform XSS we need an execution context. Most browsers enter execution context only from the javascript parser, and they can only reach the javascript parser from the application/javascript MIME or from the XML or the HTML parsers (since they may have embedded scripts). The browser is never even close to an execution (script) context. If the rendering library call fails the image is discarded as well. If the MIME does not match against an image rendering library the image is discarded. ![]() If the browser can match the (possibly guessed) MIME it loads the correct rendering library, rendering libraries may have an overflow but that is another story. Some browsers may even try to guess the image format based on magic numbers, but then again they will not try to guess esoteric formats. If the answer does not have a Content-Type several browsers will guess based on the extension, yet they will only guess image MIMEs: image/jpeg, image/png or image/gif (tiff, bmp and ppm are dubious, some browsers may have a limited support to guess them). The browser will perform the HTTP request, and it will simply read the MIME of what came (in the Conetent-Type header, e.g. an XML or HTML parser), it knows that what will come is an image (gif, jpeg, png). is pretty safe because the browser will not invoke a parser (e.g. Moreover, Anders add argues about the a tag and Matija have a good link about exploiting libraries doing the rendering.įirst of all let's assume that all input and output is properly sanitized so tricks with onerror/ onload are not possible. ![]() Like Anders says: Blender makes a very good point about authentications dialogs, and multithr3at3d is right about the on attributes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |