Hello,

are there still possibilities to execute JavaScript via stylesheets?

The common methods like expression or moz-binding are not working in modern web browsers. It seems that Mozilla completely removed the -moz-binding functionality.

Regards

I believe there are still some working vectors. Using "expression" with IE is definitely still an option.

I can't really agree with you there. Dynamic properties (like "expression") are only working if the X-UA-Compatible header is set to an obsolete version of the IE or a wrong document type is used. Dynamic properties are turned off by default since version 8. I recently wrote an article about that issue: http://impuls23.edublogs.org/2012/06/06/css-expressions-do-work-again-in-ie9/



Edited 1 time(s). Last edit at 06/17/2012 09:06AM by Jean Pascal Pereira.

The doc mode is inherited from the parent of the iframe so even if you have a standards mode page, if it's iframed from a quirks doc it will inherit that.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I don't think so. Can't reproduce this in IE9. Do you have any proof for your statement?

Ok well it used to :) clicking the compat mode button when the page is framed still works.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Perhaps it will be useful for you:

1) http://html5sec.org/#9
2) http://html5sec.org/#90
3) http://html5sec.org/#129

----------------------
~Veritas~

@LeverOne

I think Opera stops javascript: now but allows data

<style>*{-o-link:'data:text/html,%3Cimg%20src%3D1%20onerror%3Dalert(1)%20%2F%3E';-o-link-source:current}</style>
<a xlink:href=123>test</a>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth Heyes

I added it to the description for #9 few days ago and your link to hackvertor.

----------------------
~Veritas~

@LeverOne

Cool

Also if you wrap around the style with svg tags you can use the newer entites too such as &colon; etc which is pretty useful for bypasses since filters tend to think entities won't work in style blocks.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]