the Network.URI parser

Neil Mitchell ndmitchell at gmail.com
Tue May 27 04:19:04 EDT 2008


Hi Peter,

> <p><img src="javascript:alert('XSS');" alt=""/></p>

That's a bad example, since its a bit dodgy, and possibly a security
flaw. I prefer the example:

<a href="javascript:alert('XSS');">foo</a>

This works in all browsers. For a URI, if you have javascript: as the
prefix, the rest can be any javascript expression - including brackets
etc. If you have javascript as the protocol, its not really a URI
pointing at a document anymore.

Thanks

Neil


More information about the Libraries mailing list