In some cases users turn off Javascript for some security reasons. HTML has limited scripting, in fact it has almost zero scripting capabilities. Well, that is only true if one discards the FOR attribute on a label element, part of form controls. I talked about this FOR attribute before and how to use it to trick users into uploading files from their computer secretly. Problem was it required Javascript. So I just thought about that FOR attribute, and since it binds a label to another element, it is in fact some sort of scripting right? or at least it's a kind of HTML logic that can be triggered if a user performs something on a element.

Turns out, that it's possible to submit forms with it, without Javascript. Useful, if you're into CSRF and all that. So what I did was the following: I made a HTML page and created a label and inside the label I placed the BODY of the page, containing HTML and text. Now, interestingly the LABEL and it's content is now the button itself through binding of the FOR attribute only invisibly. So, that means that when you select text or click somewhere inside the body, the binding becomes active, and the instruction to submit a form is executed without any scripting at all.

My only hope is that it doesn't create binding between OBJECTS and LABELS, as stated in the Forms RFC[1] where OBJECTS are also seen as control types along fields, buttons and other form items. That would mean that it would be possible to activate OBJECTS through binding labels to it.

Label binding example:

<label for="action">



<body>


 Etymology of "Foo" 1 April 2001
 When used in connection with `bar' it is generally traced to the
 WW II era Army slang acronym FUBAR (`Fucked Up Beyond All
 Repair'), later modified to foobar. Early versions of the Jargon
 File [JARGON] interpreted this change as a post-war
 bowdlerization, but it now seems more likely that FUBAR was itself
 a derivative of `foo' perhaps influenced by German `furchtbar'
 (terrible) - `foobar' may actually have been the original form.



</body>



</label>



<form action="http://www.google.com" method="get">


 <input type="submit" id="action" style="display:none;">



</form>

[1] http://www.w3.org/TR/html401/interact/forms.html#h-17.2.1
source: OWASP News