![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
Anyone have a good index of javascript-injection hacks in URLs?
(This one is for the programmers out there, and especially for security geeks.)
As I was doing some updates yesterday, it occurred to me that Querki now allows you to name your Things pretty much anything you want. Including "javascript:...do something malicious...". Since we generate relative URLs to pages (and therefore, the URL is basically this name), this is Bad.
I've fixed the obvious hack by the simple expedient of screening out any URLs that begin "javascript:", but I'm guessing that that isn't enough -- that there are other ways to be malicious with a URL.
So I'm looking for suggestions. Take it for granted that Querki allows you to specify URLs, and that those URLs can be *fairly* arbitrary relative URLs, so I can't just whitelist a simple legal syntax -- I probably need to think in terms of blacklisting the badness. Do you know a good comprehensive list of the possible syntaxes that could be used for Javascript injection when placed inside an href? (Better yet, do you know an existing regex pattern to detect them?)
As I was doing some updates yesterday, it occurred to me that Querki now allows you to name your Things pretty much anything you want. Including "javascript:...do something malicious...". Since we generate relative URLs to pages (and therefore, the URL is basically this name), this is Bad.
I've fixed the obvious hack by the simple expedient of screening out any URLs that begin "javascript:", but I'm guessing that that isn't enough -- that there are other ways to be malicious with a URL.
So I'm looking for suggestions. Take it for granted that Querki allows you to specify URLs, and that those URLs can be *fairly* arbitrary relative URLs, so I can't just whitelist a simple legal syntax -- I probably need to think in terms of blacklisting the badness. Do you know a good comprehensive list of the possible syntaxes that could be used for Javascript injection when placed inside an href? (Better yet, do you know an existing regex pattern to detect them?)