Re: New URL spoofing bug in Microsoft Internet Explorer
From: Angus Scott-Fleming (angussf_at_GEOAPPS.COM)
Date: 10/29/04
- Previous message: James C Slora Jr: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- In reply to: Russ: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Next in thread: Marjolein Katsma: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Oct 2004 14:07:15 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
On 29 Oct 2004 at 16:19, Russ wrote:
> Firstly, the way the HTML is written, the href which should display
> and be used is http://www.microsoft.com, the single </a> should be the
> closing element for the first href.
Should it? Or should it close the closer <a href"">? Is there
an HTML standard for nesting links? Whatever the case, this is
broken HTML.
FWIW if you correct the HTML nesting (see below) so that the
google href is correctly closed inside the table, both Opera
7.20 and IE6sp1 on Win2k SP4 take you to google BUT Firefox
1.0PR takes you to microsoft.com. Opera's status bar shows you
"microsoft.com" only when you're in the table but not over the
actual "click here" link - then it shows you google.com.
> An interesting side-effect of allowing the content is that while a
> mouseover the "Click Here" reveals www.google.com, if you slowly move
> the mouse down you will see www.microsoft.com flash in the status bar.
This is the "table" white space around the enclosed "Click here"
link. Opera handles this properly, IMHO, while the others
don't.
In FF I see a "flash" of the enclosed href in the status bar as
I _click_ the link, but it still loads microsoft.com
Compare these two links:
<a href="http://www.microsoft.com/">
<table>
<tr>
<td>
<a href="http://www.google.com/">Closed OK</a>
</td>
</tr>
</table>
</a>
<a href="http://www.microsoft.com/">
<table>
<tr>
<td>
<a href="http://www.google.com/">NOT Closed OK
</td>
</tr>
</table>
</a>
IE always shows microsoft and always goes to google. BAD!
FFox shows microsoft on the "closed OK" one and goes there,
shows and goes to google on the "Not Closed OK" one.
ACCEPTABLE, but you lose the internal link.
Opera shows and goes to google for both, unless you click in the
table-space, in which case it shows and goes to microsoft. BEST
Again, is there an HTML standard for nested links like this?
Seems to me Opera 7.20 has the most "correct" behavior here,
especially on the nested-link "Closed OK" code. When you're in
the table-space but not over the internal link, the outer link
governs. Firefox ignored the internal link.
If you can define a "correct" behavior for broken HTML, the "Not
Closed" never closes the microsoft.com href so you can't ever go
there, and all three browsers that I tested got that part right,
even if IE didn't show the link in the status bar ...
-- Angus Scott-Fleming GeoApps, Tucson, Arizona http://www.geoapps.com/ --------------------------------------------------------- -- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --
- Previous message: James C Slora Jr: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- In reply to: Russ: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Next in thread: Marjolein Katsma: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
