N/A

Apple Safari 4.0.3 does not properly block javascript: and data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains a javascript: URI, (2) entering a javascript: URI when specifying the content of a Refresh header, (3) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header.

N/A

N/A

Apple Safari 跨站脚本攻击漏洞

Apple Safari 4.0.3版本没有在HTTP响应中正确的拦截刷新眉首中的javascript:URIs和数据:URIs，这使得远程攻击者可以借助一些向量，执行跨站脚本攻击。这些向量涉及(1)注入一个包含javascript:URI的刷新头，(2)在详细说明刷新头的内容时，输入一个avascript:URI，(3)注入一个包含data:text/html URI中的javaScript序列的刷新头或(4)在详细说明刷新头的内容时，借助JavaScript序列输入一个data:text/html U

N/A

N/A