javascript urls aren't sanitized #39

kpreid · 2015-04-16T01:22:21Z

Original issue 39 created by metaweta on 2008-01-18T00:42:08.000Z:

<div id="1"></div>
<script type="text/javascript">
document.getElementById("1").innerHTML="<a
href='javascript:alert(1)'>blah</a>";
</script>

kpreid · 2015-04-16T01:22:21Z

Comment #1 originally posted by metaweta on 2008-01-18T00:45:35.000Z:

Also, the easier
blah
does get translated to
blah
but still ought to be sanitized

kpreid · 2015-04-16T01:22:24Z

Comment #2 originally posted by mikesamuel on 2008-01-18T05:08:11.000Z:

Yep. We need to settle on a URI rewriting policy.

GxpCompiler requires all URIs to be relative and not to have .. that escapes to a
parent directory.

Ryan's HtmlCompiler applies no such policy, but we can probably use the UriCallback
policy.

kpreid · 2015-04-16T01:22:26Z

Comment #3 originally posted by erights on 2008-01-28T20:01:29.000Z:

<empty>

kpreid · 2015-04-16T01:22:28Z

Comment #4 originally posted by erights on 2008-01-28T20:25:16.000Z:

<empty>

kpreid · 2015-04-16T01:22:30Z

Comment #5 originally posted by mikesamuel on 2008-03-09T02:51:29.000Z:

This code gets passed through the url callback properly.

kpreid added Type-Defect Priority-High Security labels Apr 16, 2015

kpreid closed this as completed Apr 16, 2015

Provide feedback