Secure Programming and the evil

For something to do, I took a secure programming course a few days ago. The course covered all the basic stuff: buffer overflows in c, cross-site scripting, injections, denial of service attacks, SSL, signatures and digital certificates.

One of the examples for cross-site scripting was a user having the ability to input HTML elements into a comment box on a blog. The example demonstrated how a site could be defaced and even susceptible to people injecting <script> elements (nothing new here). However, when the instructor showed how the issue could be overcome, he thought he would be nice and leave the ability for users to use <br> elements. I thought, “Bonza! Maybe I can hack with the <br> element” and promptly wrote the following code:

<br onmouseover=“alert(’hello’)”>

Much to my surprise, the above code works in IE6 and IE7. Firstly, according to the HTML 4 spec the br element should only use the core attributes, and not the events. So there’s another bug in Microsoft’s IE6 and 7’s implementation of HTML4. The above code, however, does not work in FireFox2 or in Opera9:  no events are applied.

According to Hixie, it should be possible to style the br. However, the CSS 1 spec says the following (my emphasis):

The current CSS1 properties and values cannot describe the behavior of the ‘BR’ element. In HTML, the ‘BR’ element specifies a line break between words. In effect, the element is replaced by a line break. Future versions of CSS may handle added and replaced content, but CSS1-based formatters must treat ‘BR’ specially.

I tried applying a style attribute to the br element but nothing happened in all browsers.