Author Topic: Using the backbutton in IE is dangerous  (Read 1917 times)

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Using the backbutton in IE is dangerous
« on: April 17, 2002, 09:22:48 AM »
Here's the story:

http://online.securityfocus.com/archive/1/267561

Sample exploit:

http://www.eg.bucknell.edu/~ekrout/IE_Hack.html

And this will fix it.


Name = "Kill Javascript Link Popups & Exploits"
Active = TRUE
Bounds = "$NEST(<a,</a>)"
Limit = 256
Match = "*href="javascript:*"*"
Replace = "<div style="font-family: Arial; font-weight: bold;"
          "font-size: smaller; color: red; text-decoration: underline;">"
          "Possible JS Protocol Exploit Link Removed."
          "</div>"



You may want to tweak this to meet your own needs since this will replace all JS links.

Facing each other,
a thousand miles apart.

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Using the backbutton in IE is dangerous
« Reply #1 on: April 20, 2002, 11:23:12 PM »
Here's an improved filter. Rather than replacing the link it gives a "Heads up!".


Name = "Warn on JS Links"
Active = TRUE
Bounds = "$NEST(<a*>,,</a>)"
Limit = 256
Match = "*shref=($AV(javascript:*))1*"
Replace = "<a href=1>!JS LINK! - </a>"


 
Facing each other,
a thousand miles apart.

pooms

  • Jr. Member
  • **
  • Posts: 75
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Using the backbutton in IE is dangerous
« Reply #2 on: April 23, 2002, 02:44:53 AM »
Rather than actually modifying javascript links (because it tends to
screw up page layouts, such as on this forum!), I'm just using
the "Change Link Style" filters described on this thread:
http://asp.flaaten.dk/pforum/topic.asp?ARCHIVE=&TOPIC_ID=452
with this javascript hover style:
a.javascript:hover{text-decoration : none; border: thin dashed blue;
That way the style change when I move the mouse over the javascript
link catches my attention before I click the link.
The good thing about this is that it only effects layout in a minor
way, although it puts the onus on me to not click the link!