Closed Bug 275937 Opened 15 years ago Closed 15 years ago

<img src="mailto:x"> opens default mail-client without user interaction

Categories

(Core :: HTML: Parser, defect)

x86
Windows 2000
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 181860

People

(Reporter: bjorn, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Multiple <img src="mailto:#"> (where # is a random string) in a HTML-page can
easily crash the whole system by opening 100's of "Compose E-mail"-windows.
Proof of concept at http://psionicist.online.fr/intebra.html (will open three
windows).

Reproducible: Always

Steps to Reproduce:
1. Create a HTML-page that looks like this:
<html>
<img src="mailto:1">
<img src="mailto:2">
<img src="mailto:3">
<img src="mailto:...">
<img src="mailto:n">
</html>
2. Save document.
3. Open it in browser.
(4.) Optionally, craft a JavaScript that will output 1000's of <img
src="mailto:x">-strings.

Actual Results:  
Several windows were created without user interaction.

Expected Results:  
Nothing. <img src="x"> should not be allowed to open mailto: or protocols other
han http: and ftp:

Also affects Internet Explorer, Outlook Express, and Mozilla Thunderbird.

This is a really old trick exploited in the JS.WindowBomb virus and I have only
seen it "in the wild" once, but it is highly annoying and can potentially wreck
havock in HTML e-mails as well.

*** This bug has been marked as a duplicate of 181860 ***
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.