Source: Seckers BLog
At least prevent users from being infected with Trojans.
Because FF (Firefox) is not afraid of IFRAME, so I took the IE knife and did not know whether Bill had a prize. I wrote only one sentence of code, and I got it done. Ha, good luck. It is the attribute e-xpression In the CSS of IE only (exclusive). Try inserting it and try again. The IFRAME does not work.
The Code is as follows:
<Style type = "text/css" media = "all" id = "http://safe3.cn">
/* <! [CDATA [*/
Iframe {
V: e-xpression (this. src = about: blank, this. outerHTML =);/* use the IE Only style except all IFRAME */
}
# F126 {v: e-xpression ()! Important} // if you want to make your IFRAME executable, add ID = "f126" in your IFRAME ";
/*]> */
</Style>
Analysis:
Prefix: e-xpression (expression );
This prefix can be changed at will. I named it "v" above. For example, I can change it to: abc123: e-xpression (this. src = about: blank, this. outerHTML =); the trojan guy must first read the prefix in your CSS, and then write it like this when mounting the trojan <iframe style = "abc123: e xpression ()! Important "src =" URL "> </iframe>, the prefix must be the same as your website (abc123) to be mounted to the horse. Hahaha! If you make the prefix dynamic, it will be very OK, depending on how you hung up!
Advantages:
It can solve some webmaster's troubles and does not need to care about the number of IFRAME Trojans inserted by others. Those IFRAME do not work;
This protects the security of visitors. If these IFRAME files are not executed or downloaded, the accessed computer will not be damaged;
The code is simple, and there is only one CSS style, no matter whether you are ASP, ASP. NET, JSP, PHP or RUBY, it is common;
Disadvantages:
Only applicable to the current IFRAME defense scheme;
The method of Trojan Infection needs to be changed. The Trojan handler can construct such code <iframe style = "v: e-xpression ()! Important "src =" URL "> </iframe> invalidates my defense method. However, all Trojans must read the" v "letter before e-xpression in my CSS, I can replace it with any one, for example, xgz: e-xpression (...), hahaha, he can't help me either. Another example is, if my prefix is changed, is it okay *_*
Cannot defend against other marked horses, such as <script>, <applet>, and <object>.
Come back to me at that time ~ The IFRAME inserted in the webpage still exists, but it does not work;
Reinforce the defense line and add the following JS Code-in fact, this code is not needed at all:
<Script type = "text/javascript" language = "javascript">
// <! [CDATA [
Function killfrm ()
{
Var xgzfrm = document. getElementsByTagName ("iframe ");
For (var I = 0; I <xgzfrm. length; I ++) // cyclically check all IFRAME tags, change all IFRAME URLs to blank pages, and delete IFRMAE tags;
{
Xgzfrm [I]. src = about: blank;
Xgzfrm [I]. outerHTML =;
}
}
Window. onload = killfrm; // load the page and execute this JS method;
//]>
</Script>
Another solution is to convert it into a solution. This solution does not know whether it can be used or not. The method is as follows:
Add <xmp> at the end of the page and use css to control its display mode, for example, xmp {
Width: 1px;
Overflow: hidden;
Text-overflow: clip;
White-space: nowrap;
Clear: none;
Float: none;
Line-height: 0px;
Display: inline;
}