Other ways of calling JavascriptIn previous lesson we saw how input could be filtered to prevent a lot of these attacks.
But is removing '<script> tags enough? The short answer is no.
Remember back in the simple cookie stealing page there was a link I suggested you click on to view a cookie?
That uses another form of javascript execution, one that doesn't rely upon using the script tags.
Here's the link again, so that you can refresh your memory.
This is an example of modifying the normal link tag to execute javascript when a link is clicked. There are two simple ways of doing this:
<a href="javascript:alert(document.cookie);">Click me</a> [ Test ] <a href="advanced.html" onClick="alert(document.cookie)">test</a> [ Test ]If you return to the filtered input test you should be able to try either of these links and see that you can still look at the cookie.