Justin du Coeur (jducoeur) wrote,
Justin du Coeur
jducoeur

Anyone have a good index of javascript-injection hacks in URLs?

(This one is for the programmers out there, and especially for security geeks.)

As I was doing some updates yesterday, it occurred to me that Querki now allows you to name your Things pretty much anything you want. Including "javascript:...do something malicious...". Since we generate relative URLs to pages (and therefore, the URL is basically this name), this is Bad.

I've fixed the obvious hack by the simple expedient of screening out any URLs that begin "javascript:", but I'm guessing that that isn't enough -- that there are other ways to be malicious with a URL.

So I'm looking for suggestions. Take it for granted that Querki allows you to specify URLs, and that those URLs can be *fairly* arbitrary relative URLs, so I can't just whitelist a simple legal syntax -- I probably need to think in terms of blacklisting the badness. Do you know a good comprehensive list of the possible syntaxes that could be used for Javascript injection when placed inside an href? (Better yet, do you know an existing regex pattern to detect them?)
Tags: security
Subscribe

  • Adtech

    Here's an interesting article about "adtech" -- those automated algorithms that companies like Google and Facebook use to spy on you and serve up…

  • Chrome instability?

    For the past week or two, Chrome has become surprisingly unstable -- it's been crashing on me about once a day. Weirdly, it is usually when I'm not…

  • Crossing the Uncanny Valley

    [Trying out posting from DreamWidth. Let's see if everything is configured right.] Just saw Rogue One. Capsule Summary: not an epic for the ages,…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 13 comments

  • Adtech

    Here's an interesting article about "adtech" -- those automated algorithms that companies like Google and Facebook use to spy on you and serve up…

  • Chrome instability?

    For the past week or two, Chrome has become surprisingly unstable -- it's been crashing on me about once a day. Weirdly, it is usually when I'm not…

  • Crossing the Uncanny Valley

    [Trying out posting from DreamWidth. Let's see if everything is configured right.] Just saw Rogue One. Capsule Summary: not an epic for the ages,…