在xfocus上看到一篇攻击email的文章,(http://www.xfocus.net/articles/200304/502.html),让我感兴趣的是,javascript混合成ASCII码的也可以被执行,例如下面一段代码:
[code]<body>
<img lowsrc="javasCript:alert('JavaScript#1 is executed')">
<a href="javAsCript:alert('JavaScript#2
is executed')">Click here</a>
<form method="post" action="javascript:alert('JavaScript#3 is
executed')">
<input type="Submit" value="Submit">
</form>
</body>[/code]
存为test.htm后,双击运行后居然直接弹出了alert窗口,"javasCript"自动被解释为了jAvasCript,ft.
在maxthon中用viewSource插件查看,源码居然是
[code]
<html>
<HEAD></HEAD>
<BODY><IMG lowsrc="javasCript:alert('JavaScript#1 is executed')"> <A href="javAsCript:alert('JavaScript#2is executed')">Click here</A>
<FORM action="javascript:alert('JavaScript#3 is executed')" method=post><INPUT type=submit value=Submit> </FORM></BODY>
</html>
ViewSource自动为其加上了前面的html标签,而且也代码转换回来了。有空要看看ViewSource是怎么做的。呵呵,这些用在javascript上的加密倒是会让人一下子摸不着头脑。