Rails spinoffers:
When I hit the following in IE, it puts up an error message "Cannot find
file ...bad%20url... Make sure the path" is correct etc. When I hit it
in Firefox I get no error. (Ironic because Firebug is installed...):
<iframe src=''bad url''
onerror=''alert("yo");'' />
What I _want_ to happen is my onerror event fires. I naturally intend to
upgrade the alert("yo"); part into something more germane and
application-specific.
Some documentation out there says IFRAMEs have onerrors and some don''t
say they do...
Okay, let''s kick this up a notch:
<script src="http://.../prototype.js"
type="text/javascript"></script>
<iframe id=''fry_me''
onerror=''alert("yo");'' />
<script>
$(''fry_me'').src = ''bad url'';
<script>
Now neither IE nor Firefox produce any error message of any kind. If
either had thrown an error, I could naturally ''try'' to
''catch'' it in the
Javascript.
Taking out the onerror, and adding a try/catch, also don''t work.
Ordinarily, the answer to one of these IFRAME attack questions is to
upgrade the source the IFRAME calls. And of course I can''t do that
because the
error happens before the IFRAME has a page to evaluate.
I need the IFRAME to respond to URLs which the user supplies, so I need
a healthy and application-specific error path if the URL is wrong. Not the
default irritation -- or the absense thereof!
So how to beat healthy error information out of an IFRAME''s src
attribute?
--
Phlip
http://www.greencheese.us/ZeekLand <-- NOT a blog!!!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---