ext_81047: (Dr. Morden clone #187)
ext_81047 ([identity profile] kihou.livejournal.com) wrote in [personal profile] jducoeur 2013-12-18 05:59 pm (UTC)

I'm confused why you're talking several times about "relative URLs" here. A URL starting with "javascript:" isn't a valid relative URL, so if you escape things properly to ensure that you're always generating a valid relative URL, you should be fine even if people name their Things maliciously. If a URL starts with an alphanumeric (plus + . and -) string followed by a colon, that's interpreted as a scheme; you can fix that by prepending "./" to the start of your relative URL or (in most cases) URL-escaping the :.
(14 comments)

Post a comment in response:

(will be screened)
(will be screened if not validated)
If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting
 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.