the Network.URI parser
Neil Mitchell
ndmitchell at gmail.com
Tue May 27 04:19:04 EDT 2008
Hi Peter,
> <p><img src="javascript:alert('XSS');" alt=""/></p>
That's a bad example, since its a bit dodgy, and possibly a security
flaw. I prefer the example:
<a href="javascript:alert('XSS');">foo</a>
This works in all browsers. For a URI, if you have javascript: as the
prefix, the rest can be any javascript expression - including brackets
etc. If you have javascript as the protocol, its not really a URI
pointing at a document anymore.
Thanks
Neil
More information about the Libraries
mailing list