Skip to content


Subversion checkout URL

You can clone with
Download ZIP


javascript:// URL is XSS. #13

homakov opened this Issue · 3 comments

2 participants


// doesn't save you, since you can use %0A to just go to the next line and then execute some code.

=> helper.auto_link "before text javascript://  sometext"
=> "before text <a href=\"javascript://\">javascript://</a>  sometext"

Current protection is not enough! - it doesn't work with <a href="javascript:alert(1)>asdf</a> - that's good but not suffice.

The showcase above is pretty cool IMHO since autolink(in old rails projects and this gem itself) is popular and using just pure text you can leave XSS on any rails app that uses auto_link somewhere.

If you add some clickjacking it will turn into a really awful vulnerability. Anyway, please fix :)

@homakov homakov closed this

Let's keep issue closed until we fix it, it will be a bit more safe.

So I did some tests.

it works in views too
<%=auto_link('auto link <script>a()</script> some checks javascript://%0Aalert(1)')%>

and it is html safe!
auto_link('auto link <script>a()</script> some checks javascript://%0Aalert(1)').html_safe? == true

Fast fix:
use double sanitizing:

<%=sanitize auto_link('auto link <script>a()</script> some checks javascript://%0Aalert(1)')%>

Real fix:
will be ready soon. it's night in US, thus let me to prepare a PR


@homakov Thanks!

@homakov homakov referenced this issue from a commit in homakov/rails_autolink
@homakov homakov sanitize after auto_link - #13 XSS vulnerability be5ad89

with patched auto_link:

irb(main):070:0> helper.auto_link "before text javascript://  sometext"
=> "before text <a>javascript://</a>  sometext"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.