Justin du Coeur (jducoeur) wrote,
Justin du Coeur
jducoeur

Anyone have a good index of javascript-injection hacks in URLs?

(This one is for the programmers out there, and especially for security geeks.)

As I was doing some updates yesterday, it occurred to me that Querki now allows you to name your Things pretty much anything you want. Including "javascript:...do something malicious...". Since we generate relative URLs to pages (and therefore, the URL is basically this name), this is Bad.

I've fixed the obvious hack by the simple expedient of screening out any URLs that begin "javascript:", but I'm guessing that that isn't enough -- that there are other ways to be malicious with a URL.

So I'm looking for suggestions. Take it for granted that Querki allows you to specify URLs, and that those URLs can be *fairly* arbitrary relative URLs, so I can't just whitelist a simple legal syntax -- I probably need to think in terms of blacklisting the badness. Do you know a good comprehensive list of the possible syntaxes that could be used for Javascript injection when placed inside an href? (Better yet, do you know an existing regex pattern to detect them?)
Tags: security
Subscribe

  • First day of the next phase of my life

    Friday was formally my last day at Memento, but I count it as yesterday. Way back in March, I gave a sort-of four months' notice, saying that I would…

  • You know you're a true tea addict when...

    ... you finish your job and are packing your desk, and the tea selection on the back of your desk takes an entire moving box all by itself. (Yes,…

  • Resume rules

    Conducted an interview this morning; suffice it to say I wasn't blown away in general, but the worst of it was the resume, which was almost…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 13 comments

  • First day of the next phase of my life

    Friday was formally my last day at Memento, but I count it as yesterday. Way back in March, I gave a sort-of four months' notice, saying that I would…

  • You know you're a true tea addict when...

    ... you finish your job and are packing your desk, and the tea selection on the back of your desk takes an entire moving box all by itself. (Yes,…

  • Resume rules

    Conducted an interview this morning; suffice it to say I wasn't blown away in general, but the worst of it was the resume, which was almost…