Vincent Gable’s Blog

September 18, 2009

Strange AOL Instant Message Filtering

Filed under: Announcement,Bug Bite,Security | , , , ,
― Vincent Gable on September 18, 2009

You can’t send a message over AIM that has a JavaScript event handler name, followed by = in it. The message seems to be blocked on the server, not in the client, as this behavior was observed in different AIM clients (iChat, Adium, and meebo.)

Examples

The following messages can’t be sent over AIM:

onclick=

onclick =

Yo dawg, I heard you liked onclick= in your JavaScript…

Interestingly, using a newline, instead of space, between the handler name and = allows the message to be sent, even though it is still valid HTML/JavaScript. For example, you can send,

onclick
=x();
/*this is fine*/

I suspect there is an interesting security story behind all of this. If you know how and why this filtering came to pass, I please leave a comment.

Thanks to Dustin Silverman for helping me investigate this. In case you were wondering how I stumbled onto this behavior — I was sending snippets of HTML from twitterglyphs.com/ over AIM.

2 Comments »

  1. I know for a fact that the OS 8/9 versions of IM let you type <hr> to draw a rule in the other person’s window. Perhaps HTML is more deeply nested in their encoding than I thought?

    Comment by Jason Petersen — September 18, 2009 @ 9:00 pm

  2. Interesting. i was on ICQ back in those days, so I have absolutely no idea. From the little bit of experimenting I did; HTML code just comes across as plain text today.

    Comment by Vincent Gable — September 18, 2009 @ 9:58 pm

RSS feed for comments on this post.

Leave a comment

Powered by WordPress