javascript-linkify icon indicating copy to clipboard operation
javascript-linkify copied to clipboard
verified publisher icon cowboy

encodeURI the href to prevent XSS attacks via ending the quote and adding arbitrary scripts in onmouseover/onclick

Open mrooney opened this issue 14 years ago • 1 comments

Without this fix, a link such as:

http://xss.com/"onmouseover=alert('XSS');//

is a vulnerability.

I don't know how to minify the code so it would need a regen of the minified code, but this addresses the issue AFAIK.

mrooney avatar Jun 11 '11 04:06 mrooney

The problem with this is that non-malicious links will already be properly URI encoded. Calling encodeURI will double encode them. Perhaps something like this would be more appropriate:

if (href) {
  href = href.replace('"', '%22');
}

jbaudanza avatar Feb 25 '12 20:02 jbaudanza