Michal Zalewski <[EMAIL PROTECTED]> wrote: > > http://[EMAIL PROTECTED] > > wont work until you > > unescape('http://[EMAIL PROTECTED]'); > > Out of sheer curiosity (no MSIE at hand)... would it work with: > > <a href="http://[EMAIL PROTECTED]"> > > ...meaning, put literal ASCII character #001 in a href tag, as opposed to > using JavaScript or alikes?
I just posted a reply to the OP's message on Bugtraq about my tests of precisely this (half expect it won't appear there, but...). Unfortunately, I forgot to keep a copy of that message so can't just repost those comments here. In short, it appears you can use a 0x01 character instead of the "%01 and unescape" combo the OP used. Further, I looked at using this in an http-equiv=refresh "redirect" situation. In a straight use of that approach, it failed (using either the %01 or 0x01 character method), but worked if you used a script to write the http-equiv=refresh statement into the document. I don't have a suitable server set-up handy at the moment to test whether it works in a server-side redirect. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html