Solve the problem of iframe hanging horse with Expression line code-application technique

(including server-side injection, client ARP injection, etc.) IE only--generally only ie afraid of such a hanging horse, so ling son take IE surgery.

Before reading this article, let's take a look at expression；

IE5 and later versions support the use of expression in CSS to associate CSS properties with JavaScript scripts, where CSS attributes can be intrinsic attributes of elements or Custom Properties。 This means that the CSS attribute can be followed by a JavaScript expression, and the value of the CSS property equals the result of the JavaScript expression execution. You can refer directly to the properties and methods of an element itself in an expression, or you can use a different browser object. The expression is as if it were in a member function of this element.

Many friends know that CSS can directly describe the appearance of a visual tag. For example: p{color:red} in the Web page All P tagsThe color of the text will turn red, is not an iframe a mark? Start writing code with the Spirit, hehe:
iframe{... Here to write a description of the appearance of CSS code;

What's the best way to keep an IFRAME from being downloaded? The core came, that is to cut off the request in the IFRAME, cut off the request is to quickly destroy the IFrame object. How to achieve it, the above is not introduced expression? Expression is able to execute the JS script ha. The syntax format is as follows: two

Tag intrinsic CSS property name: expression (JS expression);
Or custom attribute name: expression (JS expression);

Here we choose the second, the code should be roughly like this iframe{v:expression (JS expression);}

The next question is how to destroy all the IFrame objects in the Web page; the principle of using JS is this: make the request address in the IFRAME into a blank page (About:blank), Removing the IFrame object from the DOM (Document Object model) will cut off all requests in the IFRAME. There are a lot of ways to remove DOM nodes, and I'm going to use the outerHTML attribute here. The CSS code is as follows: iframe{v:expression (this.src= ' About:blank ', this.outerhtml= ');} ;
Description: The front of the V is the spirit of their own definition of a CSS attribute, here this represents all the object will describe the appearance of the IFRAME, the middle of the comma on behalf of the two code to execute together, there is no execution priority, this is a strong guarantee oh. About:blank represents a blank page, as we all know. The outerHTML property is the HTML code that the DOM object contains itself, while the innerHTML is the HTML code contained within the DOM object (excluding itself).

Readily, the code written well, let me believe to test whether there is no effect.

First, create a new page, insert the CSS code above (or add the above sentence to your existing CSS code):

<style type= "Text/css" >
Iframe{v:expression (this.src= ' About:blank ', this.outerhtml= ');}
</style>

Then insert a few IFRAME codes on this page, assuming they are linked to a Trojan page. The code is as follows:

<iframe src= "http://www.baidu.com" ></iframe> Baidu
<iframe src= "http://www.126.com/" ></iframe> 126 mailbox
<iframe src= "http://www.163.com" ></iframe> netease

Save As Noiframe.htm, open the browser to test (local tests need to enable the tip of the top disabled script OH). I use grab tools here to test, but there is no need to use grab tools, a most simple and effective way is to open IE cache folder, first empty it, and then refresh this page, to see the cache folder there are no files in these three sites. If not, no request results are returned--the test results are satisfactory, and I have a smile on my face ^^ *, when my colleague handed me a piece of cake, quite delicious.

Tip: Cache folder location for Windows XP SP2 C:\Documents and Settings\Administrator\Local settings\temporary Internet Files


Careful friend found the problem, if my own web page to use IFRAME this Dongdong how to do?

A: If you want to make your own IFrame displayed in the Web page, while others hang the IFrame horse does not work, in the CSS add a #f126 {v:expression ()!important}
The corresponding IFRAME code is: <iframe id= "f126" name= " f126" src= "http://www.126.com/" ></iframe>It's OK.

Tip: IE7 in the priority of the implementation of the callout has "!important" description of the style, IE6 do not know!important, using the nearest principle, so IE6 this code in the end of the CSS can be.

Here f126, there are many friends have questions, they asked me why take "f126", I replied-this f126 is optional, as long as the following IFRAME in the id attribute and the same CSS in the line. My colleague is going to hand over a piece of cake for me to eat, I said full ha ... Hi, Hee.


Of course, a horse-hanger can construct such a code <iframe style= "v:expression ()!important" src= "URL" ></iframe>My defense is invalidated, but it has to go to see my CSS code in the iframe in the prefix V, if my v is changed, haha, is not also no use it!


Summary: The above method just stops the request of the IFRAME and destroys it itself, but the way of hanging the horse changed, for example, change into the way of <script></script> hanging, can not be solved by this method; This method is not the final solution, The final solution is to find out why the IFRAME is really being hung, and to plug the source. It's not my business, huh?

application Example: http://www.cncert.netWith this code with MD5 (hash) check, a very perfect horse-proof solution;