I've been wanting to share some HTML tricks for a while. These are only a few examples of fun things you can do on a site that accepts HTML input.
I thought these up when my wife, who participates regularly in several online forums, wanted help modifying her forum signature after our son was born. I was surprised to discover that this particular forum allowed users to input HTML. No restrictions.
At this point many of you are thinking what I was: There are no limits to the trouble I can cause. Of course, I didn't want to get my wife in too much trouble, so instead of completely breaking her forums, I showed her how to hijack her forum's look and feel and set the page's background to an image of our son.
Before we begin, I must warn you that
these tricks may not work depending on how the site you are attacking is configured.
Changing the background image
Description: Change the backgound of the page to be any image on the net.
Code: <style>body{background-image:url(http://www.google.com/intl/en/images/logo.gif);}</style>
Instructions: Replace the url to display whatever image you want and insert it any where you want.
How it works: This uses CSS to instruct the browser to display whatever you tell it.
Variations: <style>body{background-color:green; color:green;}</style>
(This will change the background color to green, and change the text to green as well.)
Wrecking Tables
Description: Causes the table structure on the page to stop displaying properly.
Code: </table>
Instructions: Insert the code into your post.
How it works: This code tells the browser that the table (which often used
to give a uniform look to forum posts) is finished.
Anything that comes after this code won't display properly if it was depending on the table still existing.
Variations: <td rowspan="4"> or <td colspan="4">
You can replace "4" whatever number you'd like. These won't destroy the table, but may cause weird offsets.
Page Redirects
Description: After a certain number of seconds, the page will automatically go somewhere else.
Code: <meta http-equiv="refresh" content="10;url=http://www.google.com" >
Instructions: Replace the 10 with however many seconds you want the browser to wait,
and replace the url to wherever you want the browser to go.
If you want the browser to go instantly, put 0 (zero) as the number of seconds.
This may not work if the page already has a meta refresh tag.
How it works: This <meta> tag tells the browser to go to Google's
site 10 seconds after the page loads.
This does not have to be in the header in order to work.
Hiding Content
Description: If content is laid out on the page using <div> tags, you can move or hide all of it.
Code: <style>div{position:absolute; top:-300; left:-300;}</style>
Instructions: Insert anywhere in your post.
How it works: This uses CSS to tell the browser to place each div outside normal viewing range.
Variations: <style>div{display:none; visibility:hidden;}</style>
This uses CSS to tell the browser not to display any div, not even off screen like the above example.
Javascript
Description: You can do too many wonderful and terrible things with javascript to
describe here.
Hopefully these highlights will be enough.
Code: <script language="javascript"> history.go(-1); </script>
Instructions: Insert anywhere in your post.
How it works: This particular script tells your browser to immediately go back to the last page
in its history.
Variations: <script language="javascript">
function frap(){
if( document.bgColor =="#ffffff" )
document.bgColor="#000000";
else
document.bgColor="#ffffff";
setTimeout("frap()", 50);
}
frap(); </script>
This awful script creates a function that switches the background color back and forth between
black and white every 50 miliseconds. I actually feel dirty making this one public.
Okay, that's enough. As it is I want to wash my hands. Over and over again. For hours.
To those of you who want to test these tricks out, make sure you're aware of any forum rules
before you start. It is also a good idea to try them out in a private thread first so you know
what the results will be.
If you own or run a forum or anything where users can post content, do these tricks work
on your system and if so, how much do you trust your users?
Now, where's the hand soap?