new icn messageflickr-free-ic3d pan white
Some "fun" with Cross Site Scripting : skinning Flickr with MSIE | by Ozh
Back to photostream

Some "fun" with Cross Site Scripting : skinning Flickr with MSIE

MSIE allows some "cross site scripting" (XSS) which is normally unallowed remote code execution.

 

Here is a screenshot of my Profile page as viewed in MSIE before the admins fixed this issue (only worked in MSIE, maybe Opera, but not Firefox)

 

This was done by embedding another style sheet, "hidden" in an image

tag. The external stylesheet used only text and div styles with no use

of image except for the Flickr logo. Ok, it's rather ugly, but I was more on the "proof of concept" than on a design contest :)

 

I've explained the whole trick on my blog : Cross Site Scripting, Skinning Flickr with MSIE

2,829 views
1 fave
4 comments
Uploaded on May 23, 2005