{"id":401,"date":"2009-09-18T18:10:57","date_gmt":"2009-09-18T23:10:57","guid":{"rendered":"http:\/\/vgable.com\/blog\/?p=401"},"modified":"2009-09-18T21:54:11","modified_gmt":"2009-09-19T02:54:11","slug":"strange-aol-instant-message-filtering","status":"publish","type":"post","link":"https:\/\/vgable.com\/blog\/2009\/09\/18\/strange-aol-instant-message-filtering\/","title":{"rendered":"Strange AOL Instant Message Filtering"},"content":{"rendered":"<p>You can&#8217;t send a message over AIM that has a <a href=\"http:\/\/www.w3schools.com\/TAGS\/ref_eventattributes.asp\">JavaScript event handler name<\/a>, followed by <code>=<\/code> in it. The message seems to be blocked on the server, not in the client, as this behavior was observed in different AIM clients (<a href=\"http:\/\/www.apple.com\/macosx\/what-is-macosx\/ichat.html\">iChat<\/a>, <a href=\"http:\/\/adium.im\/\">Adium<\/a>, and <a href=\"http:\/\/www.meebo.com\/\">meebo<\/a>.)<\/p>\n<h3>Examples<\/h3>\n<p>The following messages can&#8217;t be sent over AIM:<\/p>\n<blockquote><p><code>onclick=<\/code><\/p><\/blockquote>\n<blockquote><p><code>onclick       =<\/code><\/p><\/blockquote>\n<blockquote><p><code>Yo dawg, I heard you liked onclick= in your JavaScript\u2026<\/code><\/p><\/blockquote>\n<p>Interestingly, using a newline, instead of space, between the handler name and <code>=<\/code> allows the message to be sent, <em>even though it is still valid HTML\/JavaScript<\/em>. For example, you <em>can<\/em> send,<\/p>\n<blockquote>\n<pre>onclick\n=x();\n\/*this is fine*\/<\/pre>\n<\/blockquote>\n<p>I suspect there is an interesting security story behind all of this. <strong>If you know how and why this filtering came to pass, I please leave a comment<\/strong>.<\/p>\n<p>Thanks to Dustin Silverman for helping me investigate this. In case you were wondering how I stumbled onto this behavior &#8212; I was sending snippets of HTML from <a href=\"http:\/\/twitterglyphs.com\/\">twitterglyphs.com\/<\/a>  over AIM.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You can&#8217;t send a message over AIM that has a JavaScript event handler name, followed by = in it. The message seems to be blocked on the server, not in the client, as this behavior was observed in different AIM clients (iChat, Adium, and meebo.) Examples The following messages can&#8217;t be sent over AIM: onclick= [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[53,18,42],"tags":[491,490,489,308,394],"class_list":["post-401","post","type-post","status-publish","format-standard","hentry","category-announcement","category-bug-bite","category-security","tag-adium","tag-aim","tag-aol","tag-ichat","tag-javascript"],"_links":{"self":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/401","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/comments?post=401"}],"version-history":[{"count":3,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/401\/revisions"}],"predecessor-version":[{"id":404,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/401\/revisions\/404"}],"wp:attachment":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/media?parent=401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/categories?post=401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/tags?post=401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}