I was happening to enjoy writing a lovely formatted email one evening and I decided I’d like to include a quote from a website at the end of the email. Gmail’s rich text editor is fantastic at interpreting html from the clipboard and it implements all formatting, URLs, images and code. I love this feature and it is extremely handy. In this case I was copying a block of text, however mid sentence there was a small image that was a useful link for the website but was not required in the email. The text-editor added it as expected and I motioned to remove it. However, it wasn’t just your standard image linked to web page because upon clicking to delete the icon it proceeded to load the page it linked to… within the rich text editor. The code for the image looked something like this:
<a href=” url”
onclick=”{ window.location.href=‘url that loads’; return false; }”
onmouseover=“status=‘url’; return true;”
onmouseout=“status=”; return true;”>
<img style=“width: 402px; height: 378px;” src=“image url” border=“0”>
</a>
This page that loaded replaced my carefully worded email much to my annoyance yet I grew excited at the prospect of being able to send web pages to friends with ease. My mind was traveling along the lines of,
“If I could exploit this bug, I could create a simple PHP script, render some code for the desired URL and then get the full web page up in the editor which I can then send”
Although these plans were somewhat thwarted when I noticed the SEND and save draft buttons had become completely defunct after rendering the url’s html. I’ve given up re-writing the original email because I’m tired.I should also point out that this bug only occurs in firefox. Make of this what you will. Although I do fear it could open up some security issues such that the loading of malicious html within gmail could pose a serious threat.
Digg This
Delicious
Facebook
Stumbleupon
Comments are closed.