A css code to prevent website IFRAME Trojans

Because ff (Firefox) is not afraid of IFRAME, so I took the IE knife and did not know whether Bill had a prize. I wrote only one sentence. Code That's it. Ha, good luck. It is the attribute expression in the CSS of IE only (exclusive). Try inserting it and try again. The IFRAME does not work.

The Code is as follows:

<Style type = "text/CSS" Media = "all" id = "http: your own domain name">
/* <! [CDATA [*/
IFRAME {
V: expression (this. src = 'about: blank ', this. outerhtml = '');/* use the IE only style except all IFRAME */
}
# F126 {v: expression ()! Important} // if you want to make your IFRAME executable, add id = "f126" in your IFRAME ";
/*]> */
</Style>

Analysis:
Prefix: expression (expression );

This prefix can be changed at will. I named it "v" above. For example, I can change it to: ABC123: expression (this. src = 'about: blank ', this. outerhtml = ''); the trojan guy must first read the prefix in your CSS, and then write it like this when mounting the trojan <IFRAME Style =" ABC123: expression ()! Important "src =" url "> </iframe>, the prefix must be the same as your website (ABC123) to be mounted to the horse. Hahaha! If you make the prefix dynamic, it will be very OK, depending on how you hung up!

Advantages:

It can solve some webmaster's troubles and does not need to care about the number of IFRAME Trojans inserted by others. Those IFRAME do not work;

This protects the security of visitors. If these IFRAME files are not executed or downloaded, the accessed computer will not be damaged;

The code is simple, and there is only one CSS style, no matter whether you are Asp, ASP. NET, JSP, PHP or ruby, it is common;

Disadvantages:

Only applicable to the current IFRAME defense scheme;

The method of Trojan Infection needs to be changed. The Trojan handler can construct such code <IFRAME Style = "V: expression ()! Important "src =" url "> </iframe> invalidates my defense method. However, you must check the" v "letter in front of the expression in my CSS, I can replace it with any one, for example, xgz: expression (...), hahaha, he can't help me either. Another example is, if my prefix is changed, is it okay *_*

Cannot defend against other marked horses, such as <SCRIPT>, <APPLET>, and <Object>.
Come back to me at that time ~ The IFRAME inserted in the webpage still exists, but it does not work;

Reinforce the defense line and add the following JS Code-in fact, this code is not needed at all:

<SCRIPT type = "text/JavaScript" Language = "JavaScript">
// <! [CDATA [
Function killfrm ()
{
VaR xgzfrm = Document. getelementsbytagname ("iframe ");
For (VAR I = 0; I <xgzfrm. length; I ++) // cyclically check all IFRAME tags, change all IFRAME URLs to blank pages, and delete ifrmae tags;
{
Xgzfrm [I]. src = 'about: blank ';
Xgzfrm [I]. outerhtml = '';
}
}
Window. onload = killfrm; // load the page and execute this js method;
//]>
</SCRIPT>

Another solution is to convert it into a solution. This solution does not know whether it can be used or not. The method is as follows:

Add <XMP> at the end of the page and use CSS to control its display mode, for example, XMP {
Width: 1px;
Overflow: hidden;
Text-overflow: Clip;
White-space: nowrap;
Clear: none;
Float: none;
Line-Height: 0px;
Display: inline;
}