Is this safe? <a href=http://javascript:...>

Posted by KajMagnus on Pro Webmasters See other posts from Pro Webmasters or by KajMagnus
Published on 2011-03-30T09:40:51Z Indexed on 2012/06/28 15:25 UTC
Read the original article Hit count: 264

Filed under:
|
|
|

I wonder if href and src attributes on <a> and <img> tags are always safe w.r.t. XSS attacks, if they start with http:// or https://.

For example, is it possible to append javascript: ... to the href and src attribute in some manner, to execute code?

Disregarding whether or not the destination page is e.g. a pishing site, or the <img src=...> triggers a terribly troublesome HTTP GET request.

Background: I'm processing text with markdown, and then I sanitize the resulting HTML (using Google Caja's JsHtmlSanitizer). Some sample code in Google Caja assumes all hrefs and srcs that start with http:// or https:// are safe -- I wonder if it's safe to use that sample code.

Kind regards,
Kaj-Magnus

© Pro Webmasters or respective owner

Related posts about html

Related posts about JavaScript