the Network.URI parser

Peter Gammie peteg42 at
Tue May 27 06:58:06 EDT 2008


On 27/05/2008, at 3:19 PM, Neil Mitchell wrote:

>> <p><img src="javascript:alert('XSS');" alt=""/></p>
> That's a bad example, since its a bit dodgy, and possibly a security
> flaw. I prefer the example:
> <a href="javascript:alert('XSS');">foo</a>
> This works in all browsers. For a URI, if you have javascript: as the
> prefix, the rest can be any javascript expression - including brackets
> etc. If you have javascript as the protocol, its not really a URI
> pointing at a document anymore.

It most certainly is a security flaw. If you read that page I pointed  
to before (it's safe, I think, but best not use IE, ok? :-) you will  
find a whole pile of dodgy URIs. Most get culled (in my case) by the  
HaXml parser and/or XHTML 1.0 Strict validation, and now I hope to  
eliminate the rest by carefully handling the URIs.

On that topic, does anyone have any good advice for handling these  

I can imagine whitelisting schemes (ftp/http/???) and doing the  

<a href="link">anchor text [authority]</a>

for links coming from untrusted sources.

If anyone knows of the state-of-the-art in this area, I'd appreciate a  

doesn't seem to think the style attribute is unsafe. Have they not  
been following the MySpace fiascos?

(Sorry if this is a bit off-topic.)


More information about the Libraries mailing list