Geek Answers Handbook

Remove Javascript from HREF

We want to allow "normal" href links to other web pages, but we don’t want to allow anyone to hide in client scripts.

Looks for "javascript:" inside HREF and onclick / onmouseover / etc. is the event good enough? Or are there other things to check?

+3
source share
6 answers

It looks like you are allowing users to post markup content. So, I would recommend looking at a few articles on cross-site scripting prevention, which will cover a bit more than just preventing javascript from being inserted into the HREF tag. Below I have found that this may be useful:

http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html

+4
source

You will need to use the whitelist of allowed protocols in complete security. If you use the blacklist, sooner or later you will miss something like "telnet: //" or "shell:" or some thing useful for the browser that you have never heard of ...

+3
source

No, there is much more to check.

First, the URL can be encoded (using HTML entities or URL encoding, or a combination thereof).

Secondly, you need to check the incorrect HTML code, which the browser can guess and ultimately allow some script.

Thirdly, you need to check the script based CSS, for example. background: url (javascript: ...) or width: expression (...)

Probably more than what I missed - you need to be careful!

+2
source

You must be very careful when entering the user. You want to whitelist as mentioned, but not just with href. Example:

<img src="nosuchimage.blahblah" onerror="alert('Haxored!!!');" />

or

 <a href="about:blank;" onclick="alert('Haxored again!!!');">click meh</a>
0
source

one option would be to disable html altogether and use the same kind of formatting that some forums use. Just replace

[url="xxx"]yyy[/url]

from

<a href="xxx">yyy</a>

This will allow you to get around problems with the mouse, etc. Then just make sure the link starts with a white protocol and does not contain a quote ( &quot; or some of those that can be decrypted by php or a browser).

0
source

It looks like you are looking for a companion function for PHP strip_tags , which strip_attributes . Unfortunately, it is not written yet. (Hint, hint.)

However, the strip_tags documentation has an interesting suggestion:

http://www.php.net/manual/en/function.strip-tags.php#85718

In theory, this will separate everything that is not an href, class, or ID from the links provided; it looks like you probably want to block it even more and just take hrefs.

0
source

More articles:


All Articles