onsiteURL regex let's javascript code go through

[GoogleCodeExporter]

The href attribute of the anchor tag can take javascript code to execute
when clicking on the link.

Scanning something like:
"<a href=\"javascript:alert('xss!');\">xss</a>"

The "onsiteURL" will mark it as invalid because it does not accept the
parenthesis.

However, scanning something like:
"<a href=\"javascript:alert%28%27xss%27%29\">xss</a>"

Will go through and will get executed when clicking on the link.

According to the URL spec, page 15
(http://www.w3.org/Addressing/URL/url-spec.txt), the colon is a reserved
character. I suggest not to include this character in the set of accepted
characters in the onsiteURL regex. Currently this character is accepted
through the range specified in \#-~.

I suggest breaking down this range in two in order to exclude the colon.
I'm not sure if then the other reserved characters should be excluded too
or how should they be handled (like the question mark character). 

This issue was originally posted in the mailing list:
https://lists.owasp.org/pipermail/owasp-antisamy/2008-May/000041.html

Original issue reported on code.google.com by carlos.a...@gmail.com on 2 Jun 2008 at 2:34

[GoogleCodeExporter]

This is a duplicate:
http://code.google.com/p/owaspantisamy/issues/detail?id=4&can=1

However, your supporting info was very useful anyway. Thanks!

Original comment by arshan.d...@gmail.com on 2 Jun 2008 at 7:29

• Changed state: Duplicate
• Added labels: Priority-Low
• Removed labels: Priority-Medium