Re: New URL spoofing bug in Microsoft Internet Explorer
From: Russ Thomas (russthomas_at_NTLWORLD.COM)
Date: Sun, 31 Oct 2004 10:21:00 -0000 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Firstly, the way the HTML is written, the href which should display and be
used is http://www.microsoft.com, the single </a> should be the closing
element for the first href.
No, the single closing A tag should close the "current" A element - in this
case that's the element with the google href. That's how the parser behaves
at this point - malformed html willing. To behave as you suggest would mean
overlapping elements are allowed and encouraged (read: not cool).
> In isolation, the google href may appear to be the most well-formed, but
since HTML shouldn't be treated as isolated data islands, but instead as a
sequence from beginning to end,
Well, it's a "stream", yes, but the parser's job is to construct a tree.
The code we're given is a branch begun by the first A tag which, in the
code, is never closed - therefore "end of stream" is, in effect, the closing
tag for this element which terminates the branch. Traversing this branch
there is another A branch, which is begun and closed by supplied tags - the
google element, if you will. So, "in isolation," or otherwise, the google
element is complete.
> the fact that XP SP2 renders www.google.com as the link is just wrong
(even if it does mean the spoofing attempt fails.)
No, it's not wrong, it's a complete element (ignoring the seemingly
erroneous HTML within).
> Further, if the single </a> tag closes the google href,
there's no "if" here, it does close said element.
> then how is it possible that IE still can put www.microsoft.com in the
status bar at all?
It depends on whether IE, at core, is favoring mouseovers to "bubble up"
from lower level nodes to parent nodes or whether mouseovers at the parent
are sent down to children for processing (Hmmm, I can think of a few more
ways this could be handled but let's keep this simple). My guess, it's
"onion like" from core to surface, and we never see the lower level messages
since they're overwritten later by outer layers - in this case the parent A
element. Moreover, windows paint messages are optimized - the lower level
messages, even if they were issued to the message queue, may never "happen".
Note: I'm not saying yet whether this is right or wrong - just "how it is".
> It has no closing tag, so is not well-formed, and shouldn't be treated as
a valid tag...
We know, don't we, that rules are put aside when the HTML is broken. The
browser vendors usually try to make some sense of broken HTML. Yes, it's ok
to suggest what the vendors should do, but in reality, with broken HTML,
you'll get whatever you get, good or bad. I suggest to you that the parser
treats "end of stream" as termination of all open elements.
> but IE, even of XP SP2, still thinks its valid (granted, after the blocked
content has been allowed.) What possible reason would there be to allow the
rendering of that href???
It's a design choice. Without a doctype to enforce any kind of "strictness"
what would you have the browser do - display nothing? If you say yes,
congrats, you just made a design choice (a choice some will agree with,
while some will not).
Anyway, let's assume the missing A closure is a typo. I mean, given what
I've said above, and guessing at what the author most probably intended,
I've tried this (corrected) code in XP SP1/IE6 SP1 and it works much as the
Now, just to show that mouseover behavior is seemingly an arbitrary* design
choice, try this:
Here we have the tooltip code behaving one way (child priority over parent)
and status behaving another way (parent over child). This code is the
"evidence" needed to tell MS how best to treat status bar message printing -
"Do it like tooltips, guys", that is, stop at the child. Because, let's
face it MS, that's what click does - right?
The click event never reaches the outer A element (ms) it having been
"eaten" by the contained A element (gg). This is correct behavior. This is
also how the tooltip code seems to behave. The question for MS is, why have
two ways of doing essentially the same thing? One, "perfectly good enough",
the other, "thoroughly inadequate". One readily open to abuse, the other
So Russ, did you try correcting the code and testing in XPSP2?
* of course it should not be arbitrary; if in this context the status bar is
meant to inform about what is beyond a link, it should perhaps reflect what
would truly happen "post click".
-- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --