locked
HTC Components RRS feed

  • General discussion

  • If I had the possibility to add a file on your server, it would be very easy to hack your system

    <style>
    p { behavior: url(myJScriptHere.htc); }
    </style>

    The HTC :
    <PUBLIC:COMPONENT>
    <SCRIPT LANGUAGE="JScript">
        alert('Bang !');
       document.getElementById("sample").outerHTML="";
    </SCRIPT>
    </PUBLIC:COMPONENT>

    It does not work with HTC on others domain due to Cross-Site limitations.
    Fremy - Developer in VB.NET, C# and JScript ... - Feel free to try my extension
    Wednesday, April 8, 2009 10:24 PM

All replies

  • HTC behaviors will not execute in the sandbox (the behavior property is not supported) so this will not be an issue.

    -Scott

    Friday, September 18, 2009 7:58 PM