[原文]Microsoft Internet Explorer 5.0 through 6.0 allows remote attackers to cause a denial of service (crash) via an object of type "text/html" with the DATA field that identifies the HTML document that contains the object, which may cause infinite recursion.
Microsoft Internet Explorer is vulnerable to a denial of service due to an error in handling certain self-referential <OBJECT> definitions in HTML documents. This occurs when an object of type "text/html" is specified, with the DATA field referencing the name of the HTML document in which it is defined. Other circumstances may also trigger this condition.
Create a file named "CRASH.HTM" with the following line in it:
<OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT>
The following example was also submitted by Ryan Emerle: