Philip Prindeville wrote: > What about flagging HTML that has: > > <a href=.* onMouseOver="window.status" > > I.e. any links that attempt to intercept onMouseOver events and override > the status window should be flagged as suspect... > > -Philip
Actually, this seems to work: rawbody L_PHISH /<[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)="window\.status=/ describe L_PHISH Test for PHISH overwrites the status bar score L_PHISH 6.0 I suppose I could beef it up with a test to see if __CTYPE_HTML was set at the same time... Not sure how case-sensitive JavaScript is to whether "onmouseover" is the same as "onMouseOver"... I'm not a JS-head. -Philip