Neil, On 27/05/2008, at 3:19 PM, Neil Mitchell wrote:
<p><img src="javascript:alert('XSS');" alt=""/></p>
That's a bad example, since its a bit dodgy, and possibly a security flaw. I prefer the example:
<a href="javascript:alert('XSS');">foo</a>
This works in all browsers. For a URI, if you have javascript: as the prefix, the rest can be any javascript expression - including brackets etc. If you have javascript as the protocol, its not really a URI pointing at a document anymore.
It most certainly is a security flaw. If you read that page I pointed to before (it's safe, I think, but best not use IE, ok? :-) you will find a whole pile of dodgy URIs. Most get culled (in my case) by the HaXml parser and/or XHTML 1.0 Strict validation, and now I hope to eliminate the rest by carefully handling the URIs. On that topic, does anyone have any good advice for handling these things? I can imagine whitelisting schemes (ftp/http/???) and doing the slashdot-thing: <a href="link">anchor text [authority]</a> for links coming from untrusted sources. If anyone knows of the state-of-the-art in this area, I'd appreciate a pointer. http://htmlpurifier.org/live/smoketests/printDefinition.php doesn't seem to think the style attribute is unsafe. Have they not been following the MySpace fiascos? (Sorry if this is a bit off-topic.) cheers peter