Slashdot: HTML Rendering crashing IE. Here’s a test page that crashes my Internet Explorer 6.0 SP2 with all patches. Thanks to the wonders of integration, it also crashes any other product using Microsoft HTML rendering libraries. That would include Outlook and Outlook Express, leading the way for a brave new world of Denial-Of-Service-By-Email for people still using Microsoft mail products.
That’s not terribly funny. But here’s the funny part. Here’s the markup that makes it crash:
<html>
<form>
<input type crash>
</form>
</html>
Presumably there are other variations, but that just made my day.
You can simplify that to just one line: <input type>
Comment by Brad Choate — Saturday, May 3, 2003 @ 10:24 am
My fave is
Comment by Anonymous — Saturday, May 3, 2003 @ 12:32 pm
OMG that is just too funny. Can’t Microsoft get a new version of Internet Explorer out that doesn’t suck?
Comment by Simon Jessey — Saturday, May 3, 2003 @ 1:12 pm
It is unbelievable that such elementary markup (that has been around for eons!) could cause such a disasterous result. Oh well, I guess I’ll wait for *yet another* patch…
Comment by Jason — Saturday, May 3, 2003 @ 1:34 pm
The real question is whether this is an easter-egg (hmm, there needs to be a a term for malicious easter-eggs), or just a bug. In either case, it would be interesting to examine the code to see if there’s any other ways you can crash IE with very simple markup.
Comment by James — Saturday, May 3, 2003 @ 1:49 pm
OMFG. I couldn’t beleive it. Of course, the version in Mark’s posting (and linked to from slashdot) makes it look like this was deliberately added into the rendering engine, when the actuality is that the ‘crash’ attribute is just window dressing, and is being ignored. All that’s necessary is <input type>.
Now, if the necessary HTML in question was <input type="crash">, that would be an obvious deliberate (trojan? easter-egg? logic-bomb? you decide) and really funny.
I’m such a markup geek.
Comment by Michael Bernstein — Saturday, May 3, 2003 @ 2:01 pm
That is highly amusing. Please make me resist the temptation to add that to my site.
Is there any way I can make IE crash and then customise the crash box? Something like “Your browser sucks, get Mozilla”?
Comment by Neil T. — Saturday, May 3, 2003 @ 3:45 pm
Is Dave Winer behind this?
Comment by Anonymous — Saturday, May 3, 2003 @ 4:25 pm
Sounds like it’s a bug. And sounds like it’s been around for a long time.
I wonder why all the people who are quick to point at Microsoft and laugh, claiming this is such a simple thing, never bothered to help out with creating an HTML 4.01 (or XHTML 1.0) test suite which would include this error?
Or is it just that it’s such a rare thing after all that nobody thought of it before this? Certainly I never did. Did you?
–Kynn
Comment by Kynn — Saturday, May 3, 2003 @ 4:45 pm
Microsoft has how many billion dollars in reserve, has an agenda which is not pro-competitive, not pro-choice, and you figure the community should help them further?
And this would be for what purpose?
Comment by Mike — Saturday, May 3, 2003 @ 5:11 pm
“Microsoft has how many billion dollars in reserve, has an agenda which is not pro-competitive, not pro-choice, and you figure the community should help them further?”
I’ve never said such a thing. Don’t be a moron. Read what I said.
If there were a detailed enough W3C test suite, these problems wouldn’t be created by anyone building a browser. If this is something which is so unimportant that it doesn’t belong on in a test suite, then Microsoft isn’t to blame for not anticipating it.
“And this would be for what purpose?”
What purpose is there to creating a comprehensive W3C test suite? Plenty. If you can think of anything that like this which you’d consider “obvious”, please write to the W3C’s Q and A project.
–Kynn
Comment by Kynn — Saturday, May 3, 2003 @ 5:31 pm
If you want to look at moronic statements, then consider yours where you confuse the role of standards and testing.
Creating a test suite to prove that a browser renders the markup language is one thing; that’s something where it makes sense that a standards body like the W3C get involved. They have a reference browser already. Products that render like Amaya could be considered compliant.
But this *isn’t about rendering*. This is a bug in a browser. This issue has nothing to do with the W3C or standards.
And people laugh because a company with hundreds of billions of dollars of installed base and assets can some how miss this simple thing.
On a more serious note, its a bad thing that a company with hundreds of billions of dollars of installed base and assets *can* miss simple things; and the regular stream of security issues from Microsoft proves also that their fundamental design philosophy.
The moron comment was uncalled for. You aren’t related to Dave Winer by any chance are you?
Comment by Mike — Saturday, May 3, 2003 @ 5:53 pm
This isn’t a matter of a missing test case. This is a matter of an unexpected markup CRASHING the browser. Unexpected markup causing funky rendering is one thing, crashing the whole program because your parser can’t take malformed HTML is quite another.
Comment by Joshua Ochs — Saturday, May 3, 2003 @ 5:56 pm
This isn’t a matter of a missing test case. This is a matter of an unexpected markup CRASHING the browser. Unexpected markup causing funky rendering is one thing, crashing the whole program because your parser can’t take malformed HTML is quite another.
Comment by Joshua — Saturday, May 3, 2003 @ 5:56 pm
Its even more ironic since IE tends to display malformed markup all the time, which of course doens’t encourage people to improve on what they shove into pages. Markup anarchy.
Wait… computer is beeping at me… must be the “every other day Microsoft IE Security Update” arriving… back later… got…to…update…
Comment by Anonymous — Saturday, May 3, 2003 @ 6:02 pm
Well I had the very same issue with the following markup, this is the general gist of it:
<div>
<p><b>some text</b></p>
</div>
Comment by Sean — Saturday, May 3, 2003 @ 6:28 pm
Kynn, I don’t think anyone is seriously suggesting that this is anything more than a bug. But it’s a bug which lends itself to comedy, since you can put anything at all after the empty “type” attribute.
BTW, for those who don’t know, there is a *functional* test suite for HTML:
http://www.w3.org/MarkUp/Test/HTML401/current/tests/
It’s theoretically possible to create a more comprehensive suite of *unit tests* with examples of invalid markup, but such a suite would be massive. Simple cases like this could be automated from the HTML DTD. Have a rule that generates test cases for each element, for each attribute that can’t be empty. Then combinations of attributes. Then combinations of elements. Then combinations of elements within other elements. (Remember, this bug is only triggered when an INPUT element with an empty TYPE attribute is *not* contained in a BODY element. So your suite would have to have been at least this complex in order to have caught this bug.)
Then add values for each attribute. Of course, there are an infinite number of invalid values for each attribute, so you’ll have to pick and choose. Then you’ll need to do all the combinations with each value.
And keep in mind that, other than “browser doesn’t crash”, verification of these tests is non-trivial. I suppose each browser could check its internal DOM representation against a known good representation, but since we’re dealing with invalid markup and each browser creates different representations of invalid markup, each browser maker would need to create their own verification suite.
While this would be useful for all the reasons that unit testing is useful (see what obscure things changed in a product rev), I bet it’s not Microsoft’s top priority.
Comment by Mark — Saturday, May 3, 2003 @ 6:59 pm
When you mentioned that “top priority” thing, it got me thinking: is anything IE-realted anywhere near Microsoft’s “top priority” list? I’m hoping so, as I’m real tired of compromising my layouts to deal with that worthless piece of crap.
Comment by nick — Saturday, May 3, 2003 @ 8:07 pm
Mark, where did you get MSIE 6 SP2? Microsoft only offers me SP1, with a million patches.
Comment by Jor — Saturday, May 3, 2003 @ 8:34 pm
Dunno. Help/About says Version: 6.0.2800.1106.xpsp2.021108-1929. I assumed that was SP2, but now that I look at it again, there’s a second line that says “Update version: SP1″ plus a bunch of hotfix numbers. So I guess it’s SP 1.
The point is that it’s the latest version.
Comment by Mark — Saturday, May 3, 2003 @ 9:00 pm
Thanks. I believe the long version string you give (identical to mine) refers to the fact we installed some XP hotfixes which are labelled as part of SP2…
I once knew what it stood for.
Comment by Jor — Saturday, May 3, 2003 @ 9:08 pm
“When you mentioned that “top priority” thing, it got me thinking: is anything IE-realted anywhere near Microsoft’s “top priority” list?”
Why on earth would they have a “priority” list, much less a “top priority” list? They have 96% of the market despite the bad press involving constant security holes being found and don’t offer many of the features that users would really love (like pop-up blocking) or that designers would really love like standards compliance.
IE6 is nearly 3 years old, and its Trident rendering engine (why do rendering engines have such weird names? gecko/tasman/trident/presto) has been around since IE4. Internally this is an old piece of software, that I think they will let decay until they finally decide to build a new browser from scratch.
Sound familiar? Many people had harsh words for the Mozilla community after dumping the old codebase and starting from scratch, but the truth is, the browser was on its last legs by that point anyways. It was using the same codebase that dated back to mosaic.
From what I’ve heard, IE 6.5 or IE7 (to be released with Longhorn in about a year) will be the last version of Internet Explorer. From then on, there will only be a rebuilt MSN Explorer for download. They are probably saving themselves the time and effort for the new browser instead of wasting time on the current one.
It will be quite funny when all the pages created by all those hack designers relying on IE quirks fall apart. Spawning chromeless windows which had worked since IE4, stopped working in IE6 sp1 due to security concerns. Fullscreen popups are next from what I’ve read. Microsoft can’t accommodate all those quirky pages forever, as they are trying to make a go at the wireless market and won’t be able to carry the ever-expanding code bloat around forever. They’ll want a common codebase, that will need to be lean and mean to work on a wide variety of devices not mearly the desktop pc. I think that is why IE6 hasn’t been significantly updated for so long, they would rather not waste the effort on something they plan on dumping soon anyways. Its not like they’ve lost even a single percent point of the browser market.
Comment by MikeyC — Saturday, May 3, 2003 @ 10:23 pm
Microsoft doesn’t update IE because there’s no money in it: i.e. there’s no licensing fees associated with upgrading to the latest version. If I were Microsoft and I could charge $300 for an upgrade from Office 2002 to Office 2003 versus giving IE 2003 away for free, I know where I would put my development dollars. Microsoft only patches IE when somebody complains loudly enough, otherwise they ignore it. “Good enough” is the enemy of “better.” “Feature bloat” is the enemy of “good enough.”
Comment by Fred — Sunday, May 4, 2003 @ 12:01 am
that’s competition for you, market forces at work
Comment by filchyboy — Sunday, May 4, 2003 @ 1:40 am
Comment 17: “Its even more ironic since IE tends to display malformed markup all the time.”
It’s a bit off the main topic, but do I catch an allusion to that in Mark’s heading (The Importance of Human Readable Markup)? There’s a possible reference back to an item in the “Insomniac” post of 23rd March:
http://bitworking.org/newsXHTML___XForms___XLink___Xanadu
There we find this: “If we want to see the web’s historical wild growth continue, it shouldn’t be choked off with machine-legible-only formats”
I think there probably are genuine arguments for laxity. Of course, browser crashes are another thing …
Comment by Michael — Sunday, May 4, 2003 @ 6:39 am
“hmm, there needs to be a a term for malicious easter-eggs” : 6-months-after-easter-egg?
Comment by Anonymous — Sunday, May 4, 2003 @ 9:40 am
MikeyC, please stop talking crap. Nobody knows what MS’ plans for IE are, you’re just spreading unfounded rumors.
People stated IE5 was going to be the last IE release. Oh look, it wasn’t true. You don’t know the release dates. You don’t know the plans. Neither do I.
However, I do believe Microsoft can’t re-write IE’s rendering engine from scratch. It would be suicidal. They *have* to keep backwards-compatibility with the hundreds of IE-only applications in use today.
They just have to evolve it - first get basic CSS1 and HTML4 sorted (not a massive challenge, they’re resonably close). Then add the missing CSS2 support, and wire up MSXML for XHTML.
But they have to do all that without breaking IE5 compatibility, which is a hard task.
Comment by Anonymous — Sunday, May 4, 2003 @ 11:15 am
“MikeyC, please stop talking crap. Nobody knows what MS’ plans for IE are, you’re just spreading unfounded rumors.”
Look I didn’t claim that I know anything that hasn’t already been reported in various semi-credible sources like slashdot/the register/etc…I started my comment with “From what I’ve heard” so take it as you will.
“People stated IE5 was going to be the last IE release. Oh look, it wasn’t true. You don’t know the release dates. You don’t know the plans. Neither do I.”
Again, I never claimed that I knew anything about their actual plans. Merely repeating what I’ve read in other online sources ok. I think the people here can decide for themselves how much truth exists in these “rumours” so get over yourself buddy.
Comment by MikeyC — Sunday, May 4, 2003 @ 12:53 pm
Comment by Anonymous — Sunday, May 4, 2003 @ 2:01 pm
This place crashes my IE all the time: [ad deleted]
Comment by Anonymous — Sunday, May 4, 2003 @ 2:02 pm
Here’s a test page that crashes Mozilla:
http://www.geeklife.com/files/crashMoz.html
Here’s the markup that makes it crash (angles changed to brackets so it will show up here):
[html]
[fieldset style="position:fixed;"]
[legend]Crash[/legend]
[/fieldset]
[/html]
People should be careful bashing IE to make certain the product they promote doesn’t suffer from similarly ridiculous vulnerabilities.
Comment by dave bug — Sunday, May 4, 2003 @ 2:19 pm
To the (multiple) people who have tried to enter this exploit in my comments: piss off. I strip all HTML tags, no exceptions, so don’t bother.
To the people posting irrelevant links in order to drive traffic to your site: piss off. Go find more socially acceptable things to do, like peeing in public fountains, or smoking in church.
To the people calling each other names and debating the future of Internet Explorer: actually, this is mildly interesting. If anyone has *credible* information about the future of MSIE, I’d love to hear it.
Comment by Mark — Sunday, May 4, 2003 @ 5:55 pm
Mark,
On a note related to your last comment, I suppose that’s something we’re bound to see before too long. Most likely, it will be in the form of spam trackbacks to popular blogs, enticing users with promising-looking trackbacks and then trying to sell product. For blogs with a high ratio of readers to poster(s), it’s inevitable that some spam trackbacks will slip through the cracks.
Before long, we’ll see webs of trust built up around commenting and trackbacks.
I’d blog this and link to your comment, but trackback autodiscovery would probably spam you further.
Comment by Adam — Sunday, May 4, 2003 @ 6:08 pm
“If anyone has *credible* information about the future of MSIE, I?d love to hear it.”
What would you consider credible information: An official Microsoft press release? I don’t think we can get you that, but consider that Microsoft has been trying to make inroads into the cellphone/wireless market. Opera has been kicking butt by getting a few large European contracts recently, thanks in large part to the light-weight footprint of their product.
Can Microsoft put their browser on resource-limited clients while at the same time continue to render all the quirks of past versions of desktop IE? I don’t know the answer to that question. I’m guessing that they can’t.
Many people suggest that it would be suicide for them to drop support for quirky rendering. I don’t believe this to be so. Designers would simply work their butts off to get their pages in working order as fast as possible. When Internet Explorer 6 changed its cookie-handling policy, and broke many pages, it wasn’t Microsoft who bent to the will of the design community. When Microsoft recently put an end to chromeless windows (resizing down of a fullscreen window after pageload to create the effect of a window without surrounding chrome) we didn’t see some mass exodus from IE6 sp1. Designers simply sulked for a few days and then moved on. When you control 96% of the market you can do whatever you want (including cutting backwards compatibility), and designers have to follow along, whether they like it or not. Maybe not on personal blog sites you don’t, but if you are running any large institutional web site, you’re damn right you do.
Comment by MikeyC — Sunday, May 4, 2003 @ 7:09 pm
“People should be careful bashing IE to make certain the product they promote doesn’t suffer from similarly ridiculous vulnerabilities.”
The difference is I can look at Bugzilla and know there is already a discussion on how to fix it, and multiple takes at patching it….
[9:15 pm
Interestingly, on my copy of Mac IE 5.2 (I’ve never had a reason to upgrade), the page at:
http://vibrantlogic.com/new.html
loads fine. Is this another Windows only problem?
Comment by Chet — Sunday, May 4, 2003 @ 9:51 pm
“Interestingly, on my copy of Mac IE 5.2 (I’ve never had a reason to upgrade)…loads fine.”
I think Mac IE 5.2 *is* the latest version. So there is nothing for you to upgrade to (unless you mean upgrading to Safari/Mozilla)…
“Is this another Windows only problem?”
IE Win & IE Mac are the same browser in name only. They use different rendering engines (Trident and Tasman respectively) and were produced by different development teams at Microsoft. Not at all surprising that they would act differently from one another.
Comment by MikeyC — Sunday, May 4, 2003 @ 10:36 pm
Looks like IE will only crash if the parser stack hasn’t been initialized.
If there’s a body tag previous to the malicious LOC it will *not* crash, even if the body is terminated before.
Thus DOS by insertion will not work. However I’m afraid this will work with the Mozilla bug.
http://www.sns1.de/partner/flamme/wflamme.nsf/Tag/2003-05-05:goodbyeIE
Wolfgang
Comment by Wolfgang Flamme — Sunday, May 4, 2003 @ 11:39 pm
Confirmed for Mozilla, see:
http://www.sns1.de/partner/flamme/wflamme.nsf/Tag/2003-05-05:mozillabashing
Comment by Wolfgang Flamme — Monday, May 5, 2003 @ 4:55 am
Comment by Anonymous — Monday, May 5, 2003 @ 6:03 am
There is one economic reason for Microsoft to fix the current versions of IE, cost of processing bug reports. When I ran Marcs test IE5.5 asked if I wanted to report this “new” bug, of couse I said yes. Then it occured to me that this is costing Microsoft real money to process duplicate bugs like mine and that sooner or later this cost would drive the need to issue a fix.
Comment by Steven Kroeker — Monday, May 5, 2003 @ 11:24 am
Steven, that’s only if you make the assumption that MS actually does something with all those bug reports.
Comment by Glen — Monday, May 5, 2003 @ 1:11 pm
I doubt Microsoft will fix this bug as it relies on invalid HTML - as Wolfgang points out, there’s no body tag. Once you add that, the code works like it should.
Comment by chris hester — Tuesday, May 6, 2003 @ 6:05 am
MickyC Wrote: “Many people suggest that it would be suicide for them to drop support for quirky rendering. I don’t believe this to be so. Designers would simply work their butts off to get their pages in working order as fast as possible.”
Well, obviously, they would have to - either that, or block all IE7 (or whatever) users from a site. Either way it wouldn’t exactly create a great deal of good will towards MS.
“When Internet Explorer 6 changed its cookie-handling policy, and broke many pages, it wasn’t Microsoft who bent to the will of the design community.”
IE6 broke a few sites. Personally, I didn’t see any cookie problems with sites I regularly use. The fix (from what I know) was mostly adding an extra HTTP header with a privacy policy.
Cookie handling in IE6 is good. It added benefit to Microsoft users. It was something they could plug in an otherwise quite dull release.
What would removing support for the IE5 block model do? Let’s see…
* Annoys users - broken pages
* Annoys developers - masses of work to fix everything
* Annoys managers - more money to fix everything
* Reduces trust in IE - people are less likely to use it as a development platform
* Forces people to use standards, which is *not* a good thing. People should choose standards, not be forced to them. Forcing would result in bad feelings towards them.
* Annoys the rest of Microsoft - they’d have to re-write hundreds of internal Windows HTML files, Office HTML files, and Microsoft.com files.
What does it directly achieve *for Microsoft customers*?
* Nothing.
It would probably get people using standards. That isn’t a direct visible benefit to users. Not worth the bad points, in my opinion.
“When Microsoft recently put an end to chromeless windows we didn’t see some mass exodus from IE6 sp1.”
Chromeless windows aren’t in extremely widespread use, and they were a possible security problem, and a big annoyance. Is the IE6 being backwards-compatible any of those?
Comment by Anonymous — Tuesday, May 6, 2003 @ 11:33 am
“What would removing support for the IE5 block model do? Let’s see…* Annoys users - broken pages…* Annoys developers - masses of work to fix everything
What does it directly achieve *for Microsoft customers*?* Nothing.”
Well first of all I didn’t go so far as to say they would/should remove the IE5 box model, but simply meant that they can’t take *all* the quirks with them forever. (Mozilla has a quirks mode, but doesn’t support document.layers).
I’m not saying it wouldn’t annoy a lot of people (it definitely would), but simply that Microsoft’s monopoly power is such that annoyance wouldn’t significantly reduce their marketshare. Most people I know use Microsoft products because they (feel like) they have no other choice. I could see them forgoing a bit of the desktop browser market for a slice of the wireless/handheld market. Then they could collect a fee from developers to have their browser pre-installed on devices. Their (free) desktop browser monopoly, I’m sure, has its indirect benefits, but also has a significant cost attached to it. Companies usually give away products in an attempt to become ubiquitous, and then charge for it.
My argument is based on the following premise:
1) Microsoft wants a piece of the handheld/portable/wireless/cell/embedded browser market.
2) Microsoft can’t squeeze their rendering engine into a low-resource portables as is. They need to strip it down.
3) Microsoft will want cross-platform/device rendering behaviour spanning the desktop and portable markets so that pages render in embedded browsers correctly–or else there won’t be a reason for manufacturers to go with Microsoft’s offering.
Just my two cents based on rumour and conjecture from semi-credible sources.
Comment by MikeyC — Tuesday, May 6, 2003 @ 10:48 pm
Just had to try it. I used Brad’s example, saved the file to my web server as “crash.htm,” and then crashed my browser (IE 6) a couple times. Here’s the fun part: I next went to Windows Explorer and tried to delete the file. As soon as I clicked on the filename, Windows Explorer promptly crashed, too. I had to re-open the file with Notepad and change the text before I could delete it without crashing Windows Explorer. My desktop is Windows XP. So anyway, there seems to be a related bug, or maybe some shared code or some other similarity causing similar behavior in IE 6 and in Windows Explorer.
Comment by Mark — Friday, May 9, 2003 @ 2:04 pm
Oh, duh, OK, the similarity is the HTML rendering library. Still, does anyone else think it’s weird that you don’t have to open the file to make it crash Windows Explorer–all you have to do is click on it?
Comment by Mark (er, not Pilgrim, sorry) — Friday, May 9, 2003 @ 2:15 pm
Probably it’s being “helpful” and “smart” and noticing the file extension and trying to show some sort of preview in the Explorer window. Which crashes, naturally, since everything is sharing the same HTML rendering library.
Comment by Mark — Friday, May 9, 2003 @ 2:23 pm