search

dqw / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

Phishing: negative margins #25

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
margin-top:-50px is possible with myspace policy. In some cases this can be
used just like position offsets.

Original issue reported on code.google.com by designbi...@gmail.com on 17 Aug 2008 at 4:06

GoogleCodeExporter commented 8 years ago 
Submit this code to: http://blog.supremedesign.ru/xss
<div style="color:red; margin-top:-120px; border:red solid; 
background:blue;">test</div>

Original comment by designbi...@gmail.com on 17 Aug 2008 at 4:08

GoogleCodeExporter commented 8 years ago

Original comment by arshan.d...@gmail.com on 19 Nov 2008 at 7:10

GoogleCodeExporter commented 8 years ago

Original comment by arshan.d...@gmail.com on 19 Nov 2008 at 7:14

GoogleCodeExporter commented 8 years ago

Original comment by arshan.d...@gmail.com on 25 Nov 2008 at 10:35

GoogleCodeExporter commented 8 years ago 
Note that this issue only seems to affect IE. It had no effect in Firefox (no 
other
browsers tested).

Nonetheless, changed policy file to disallow negative margins.

Accomplished by replicating all numeric regular expressions and adding a 
"positive"
version. For example, I added positiveNumber to match the regular expression for
number except that it does not allow negative numbers.

Then I changed the CSS margin property allowed values to be only positive 
values.

Original comment by li.jaso...@gmail.com on 17 Mar 2009 at 3:35

GoogleCodeExporter commented 8 years ago 
Change has been checked in.

Original comment by li.jaso...@gmail.com on 17 Mar 2009 at 3:55

GoogleCodeExporter commented 8 years ago

Original comment by arshan.d...@gmail.com on 3 Aug 2009 at 2:41