Program: IE 6 Sp2 Version: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 OS: Windows XP Home SP2
I was just messing around with IE, playing with JavaScript.
It's a well known fact that IE lets you run javascript from the address bar:
e.g Type the following into the address bar: javascript:alert('IE Sucks Go Get FireFox');document.location="http://www.mozilla.org/products/firefox/";;
That address will display a message box and then take you to the firefox download page. I then started to wonder what would happen if i set a similar address as my homepage. So i went and did exactly that. It was ammusing to see IE display "You Smell" when i clicked the homepage button.
I closed IE, and just dismissed the idea. Later on when i clicked the IE logo i heard the sound that windows makes when a message box is displayed. I couldn't see anything and IE failed to open.
I pressed Ctrl-Alt-Del and just caught a glimps of it closing.
I experimented more with setting the homepage to different things when i came accross this:
javascript:document.write("<iframe src='http://www.google.com' width='100%' height='100%'></iframe>");
I went to www.slashdot.org and pressed my homepage button. Lo and behold google appeared on my screen and the address was still www.slashdot.org!
I couldn't find any JavaScript to auto set this as the homepage without asking the user to varify this, but i think there may be other ways in which this hole can be exploited!
_________________________________________________________________
Want to block unwanted pop-ups? Download the free MSN Toolbar now! http://toolbar.msn.co.uk/