Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re: New bracket-link stuff

by Juerd (Abbot)
on Apr 25, 2004 at 09:47 UTC ( #347950=note: print w/ replies, xml ) Need Help??


in reply to New bracket-link stuff

Why is the // still needed?

[href://javascript:alert('foo')|And I don't think this is a good idea.]

Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }


Comment on Re: New bracket-link stuff
Re: Re: New bracket-link stuff
by theorbtwo (Prior) on Apr 25, 2004 at 17:05 UTC

    The :// is needed because it seperates the pseudo-uri-schema from the rest-of-the-uri. (Real URIs use : for schemas that do not take a hostname next, but this isn't a real uri, and doesn't use quite the same syntax.)

    And as to the second point, we do bracket-link expansion before HTML verification, IIRC, and thus it doesn't make that sort of "attack" much easier. As always, look before you leap click. (And don't use a browser that lets people lie about where links point, like some unpatched IEs.)

    test

    The HTML filtering code could, at some point, be enhanced to check for this sort of attack, but I'm not sure I understand that code sufficently to do that -- that would be more of a tyeish project.


    Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).

Re: Re: New bracket-link stuff
by ambrus (Abbot) on Apr 26, 2004 at 13:30 UTC

    I agree with theorbtwo, it's really an issue with the html filtering.

    Indeed, you can do that without brackets, like you type

    <a href="javascript:alert('foo')">this</a>
    you get this.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://347950]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (10)
As of 2014-12-20 19:54 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (97 votes), past polls