Closed pwnetrationguru closed 2 years ago
pauljt
commented
10 years ago Not necessarily, the point of this rule was that this may be an interesting part of the code to review, not that it is necessarily a security issue in its own right.
On 20 Mar 2014, at 4:48 am, Rob Fletcher notifications@github.com wrote:
Our href rule flags the following safe example:
a.href = "http://mozilla.org"; We only care about javascript/data protocols
— Reply to this email directly or view it on GitHub.
pwnetrationguru
commented
10 years ago Ah ok, I was basing my comment on the rule description and recommendation below:
"desc": "URLs pointing to the javascript: and data: protocols can lead to XSS.",
"rec": "Sanitize URLs to make sure they point to something that is allowed, if you have to deal with user input."@pauljt, should we close this issue and update the rule description?
mozfreddyb
commented
10 years ago Well, I think we should :) There surely is some value in that rule even if there's no data or javascript URI involved.
zombie
commented
9 years ago i'm not sure what's left to do here.. just to close this issue, or to update the description for the rule?
Our href rule flags the following safe example:
We only care about javascript/data protocols