Is this safe? <a href=http://javascript:...>
Posted
by
KajMagnus
on Pro Webmasters
See other posts from Pro Webmasters
or by KajMagnus
Published on 2011-03-30T09:40:51Z
Indexed on
2012/06/28
15:25 UTC
Read the original article
Hit count: 264
I wonder if href
and src
attributes on <a>
and <img>
tags are always safe w.r.t. XSS attacks, if they start with http://
or https://
.
For example, is it possible to append javascript: ...
to the href
and src
attribute in some manner, to execute code?
Disregarding whether or not the destination page is e.g. a pishing site, or the <img src=...>
triggers a terribly troublesome HTTP GET request.
Background: I'm processing text with markdown, and then I sanitize the resulting HTML (using Google Caja's JsHtmlSanitizer). Some sample code in Google Caja assumes all href
s and src
s that start with http://
or https://
are safe -- I wonder if it's safe to use that sample code.
Kind regards,
Kaj-Magnus
© Pro Webmasters or respective owner