Microsoft Developer Network >
Forums Home
>
Microsoft Live Labs Forums
>
Web Sandbox - Exploits
>
HTC Components
HTC Components
- If I had the possibility to add a file on your server, it would be very easy to hack your system
<style>
p { behavior: url(myJScriptHere.htc); }
</style>
The HTC :
<PUBLIC:COMPONENT>
<SCRIPT LANGUAGE="JScript">
alert('Bang !');
document.getElementById("sample").outerHTML="";
</SCRIPT>
</PUBLIC:COMPONENT>
It does not work with HTC on others domain due to Cross-Site limitations.
Fremy - Developer in VB.NET, C# and JScript ... - Feel free to try my extension
All Replies
HTC behaviors will not execute in the sandbox (the behavior property is not supported) so this will not be an issue.
-Scott
