javascript urls aren't sanitized

ejayimperial / google-caja

Automatically exported from code.google.com/p/google-caja

0 stars 0 forks source link

javascript urls aren't sanitized #39

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

<div id="1"></div>
<script type="text/javascript">
document.getElementById("1").innerHTML="<a
href='javascript:alert(1)'>blah</a>";
</script>

Original issue reported on code.google.com by metaw...@gmail.com on 18 Jan 2008 at 12:42

GoogleCodeExporter commented 9 years ago

Also, the easier
  <a href="javascript:alert(1)">blah</a> 
does get translated to
  <a target="_new" href="javascript:alert(1)">blah</a>
but still ought to be sanitized

Original comment by metaw...@gmail.com on 18 Jan 2008 at 12:45

GoogleCodeExporter commented 9 years ago

Yep.  We need to settle on a URI rewriting policy.

GxpCompiler requires all URIs to be relative and not to have .. that escapes to 
a
parent directory.

Ryan's HtmlCompiler applies no such policy, but we can probably use the 
UriCallback
policy.

Original comment by mikesamuel@gmail.com on 18 Jan 2008 at 5:08

GoogleCodeExporter commented 9 years ago

Original comment by erights on 28 Jan 2008 at 8:01

Added labels: Priority-High
Removed labels: Priority-Medium

GoogleCodeExporter commented 9 years ago

Original comment by erights on 28 Jan 2008 at 8:25

Added labels: Security

GoogleCodeExporter commented 9 years ago

This code gets passed through the url callback properly.

Original comment by mikesamuel@gmail.com on 9 Mar 2008 at 2:51

Changed state: Fixed