Summary : Multiple web-based mail systems browsed through Internet Explorer can allow arbitrary javascript execution. Date : 02/10/2003 Author : Frank Denis ------------------------[ Description ]------------------------ The issue described here doesn't reveal a vulnerability in a specific product. But the combination of features of Internet Explorer with features of common webmail software can create a vulnerability. 1) Internet Explorer interprets stylesheets for any HTML tag, even non-existent ones. For instance : is not a valid tag, but attributes are evaluated. It may be considered as a bug or as a logical behavior, your mileage may vary. And this alone is not a security flaw. 2) Internet Explorer can evaluate Javascript expressions in style sheets through the "expression" keyword : This is not a bug either, but a proprietary, properly documented extension. 3) Due to the increase of HTML-only email, most popular webmail software can display HTML email. In this context, Javascript _must_ be removed from every email. To achieve this result, various tricks are used by webmail software : - Removal or mangling of