Hey guys i was seaeching here and there and i found this : -

By Passing Hotmail JavaScript


Subject: hotmail javascript bypass
Date: 20. Oktober 2001 20:01

You can bypass the hotmail javascript filtering system using the
<img>..</img> tag.

Placing an http://www.antionline.com/

The src="javascript:bla" is changed to src="javascript:Filtered()".
The first image-background: url('javascript:bla') is changed to
image-background: url(non-'javascript:bla') (so isn't executed).

But here is the problem the second image-backgroun:
url('javascript:alert%28test%29') isn't changed at all.
(the %28/%29 are used instead of '(' / ')' else it won't work..)

So this code will be executed.

Some things you can do with this bug:

1 redirect people to a fake hotmail-retype-your-password page and catch
their password.
2 Catching cookies/urls etc.

3 You can get the users personal information
Example:
- I used netscape messenger and inserted this html tag:

--
http://www.antionline.com/
--

Then sending an email, and if the user opens this email a message will
popup containing his full name, country etc. So you are able to catch
this info.

4 .....

ObLiviON [email protected]


----------------------------------------------------------------------------------
In Every Digital Circuit There Is An Analog Circuit Screaming To Come Out.