locked
Is it possible to inject script into metro app from css?

    Question

  • Demo code:

    <!DOCTYPE html>
    <html>
    <head>
        <meta charset="utf-8" />
        <title></title>
    
        <!-- WinJS references -->
        <link href="//Microsoft.WinJS.1.0/css/ui-dark.css" rel="stylesheet" />
        <script src="//Microsoft.WinJS.1.0/js/base.js"></script>
        <script src="//Microsoft.WinJS.1.0/js/ui.js"></script>
    
        <!-- references -->
        <link href="/css/default.css" rel="stylesheet" />
    
        <style id="buttonstyle">
            body {
                background-image: url("javascript:document.write("")");
            }
        </style>
        <script src="/js/default.js"></script>
    </head>
    <body>
        
    </body>
    </html>
    
    The inject code in 'style' node: 
    url("javascript:document.write("")")
    Does it work in metro app, and why?

    Tuesday, April 23, 2013 9:08 AM

Answers

  • Take a look at the Developing secure apps topic for a discussion of how and why scripts are filtered and methods to avoid filtering scripts that you know are safe.

    --Rob

    • Marked as answer by Lattimore Wednesday, April 24, 2013 2:59 AM
    Wednesday, April 24, 2013 2:05 AM
    Owner

All replies

  • Take a look at the Developing secure apps topic for a discussion of how and why scripts are filtered and methods to avoid filtering scripts that you know are safe.

    --Rob

    • Marked as answer by Lattimore Wednesday, April 24, 2013 2:59 AM
    Wednesday, April 24, 2013 2:05 AM
    Owner
  • I learned a lot after reading the WhitePaper, thanks.
    Wednesday, April 24, 2013 2:59 AM