the Network.URI parser
Peter Gammie
peteg42 at gmail.com
Tue May 27 06:58:06 EDT 2008
Neil,
On 27/05/2008, at 3:19 PM, Neil Mitchell wrote:
>> <p><img src="javascript:alert('XSS');" alt=""/></p>
>
> That's a bad example, since its a bit dodgy, and possibly a security
> flaw. I prefer the example:
>
> <a href="javascript:alert('XSS');">foo</a>
>
> This works in all browsers. For a URI, if you have javascript: as the
> prefix, the rest can be any javascript expression - including brackets
> etc. If you have javascript as the protocol, its not really a URI
> pointing at a document anymore.
It most certainly is a security flaw. If you read that page I pointed
to before (it's safe, I think, but best not use IE, ok? :-) you will
find a whole pile of dodgy URIs. Most get culled (in my case) by the
HaXml parser and/or XHTML 1.0 Strict validation, and now I hope to
eliminate the rest by carefully handling the URIs.
On that topic, does anyone have any good advice for handling these
things?
I can imagine whitelisting schemes (ftp/http/???) and doing the
slashdot-thing:
<a href="link">anchor text [authority]</a>
for links coming from untrusted sources.
If anyone knows of the state-of-the-art in this area, I'd appreciate a
pointer.
http://htmlpurifier.org/live/smoketests/printDefinition.php
doesn't seem to think the style attribute is unsafe. Have they not
been following the MySpace fiascos?
(Sorry if this is a bit off-topic.)
cheers
peter
More information about the Libraries
mailing list