Justin du Coeur (jducoeur) wrote,
Justin du Coeur
jducoeur

Anyone have a good index of javascript-injection hacks in URLs?

(This one is for the programmers out there, and especially for security geeks.)

As I was doing some updates yesterday, it occurred to me that Querki now allows you to name your Things pretty much anything you want. Including "javascript:...do something malicious...". Since we generate relative URLs to pages (and therefore, the URL is basically this name), this is Bad.

I've fixed the obvious hack by the simple expedient of screening out any URLs that begin "javascript:", but I'm guessing that that isn't enough -- that there are other ways to be malicious with a URL.

So I'm looking for suggestions. Take it for granted that Querki allows you to specify URLs, and that those URLs can be *fairly* arbitrary relative URLs, so I can't just whitelist a simple legal syntax -- I probably need to think in terms of blacklisting the badness. Do you know a good comprehensive list of the possible syntaxes that could be used for Javascript injection when placed inside an href? (Better yet, do you know an existing regex pattern to detect them?)
Tags: security
Subscribe

  • Ideas for fighting Fake News

    [I'm mostly just posting links over in Facebook, but my more technical friends tend to be over here.] Here is a really excellent collection of…

  • Damn

    *Sigh*. I was sure this was possible, and was thinking for the past two weeks that it was starting to feel likely, but was really hoping otherwise. I…

  • Time to change the name of the meme?

    From cnn.com today: 'Trump went on to again attack women who have accused him of sexual assault or misconduct, saying, "every woman lied when they…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 13 comments

  • Ideas for fighting Fake News

    [I'm mostly just posting links over in Facebook, but my more technical friends tend to be over here.] Here is a really excellent collection of…

  • Damn

    *Sigh*. I was sure this was possible, and was thinking for the past two weeks that it was starting to feel likely, but was really hoping otherwise. I…

  • Time to change the name of the meme?

    From cnn.com today: 'Trump went on to again attack women who have accused him of sexual assault or misconduct, saying, "every woman lied when they…