javascript in a href if set with &colon;

ezyang / htmlpurifier

Standards compliant HTML filter written in PHP

http://htmlpurifier.org

GNU Lesser General Public License v2.1

3.02k stars 323 forks source link

javascript in a href if set with &colon; #369

Closed joebordes closed 1 year ago

joebordes commented 1 year ago

<a href="javascript:alert(document.domain)">XSShref1</a>

gets sanitized to

<a>XSShref1</a>

but

<a href="javascript&colon;alert(document.domain)">XSShref2</a>

is left unmodified. Is that the expected behaviour of the library?

ezyang commented 1 year ago

To be clear, it is not left unmodified: the &colon; is converted to &colon; The result is a valid URL to a local file named javascript&colon;alert(document.domain), all of which is legal. Do you have a browser which is actually interpreting this as JavaScript?

joebordes commented 1 year ago

ah, I see. my code is reverting the & change. ok, sorry for the noise and thanks for the support :-)