All geek questions in one place

Is it safe to allow links starting with C # (hash)?

I am creating a webapp and users can dynamically create HTML content. Is it safe (e.g. wrt XSS attacks) so that they can create links starting with # ?

I donโ€™t know why this will not happen - maybe I'm just paranoid. (My Javascript code does nothing specific for # urls.)

In any case, one of the reasons I ask is because I use the Google Caja html-sanitizer to sanitize HTML. It filters URL: s, however the default filter looks like this:

 function urlX(url) { if(/^https?:\/\//.test(url)) { return url }}

That is, the protocol should be specified and allowed only HTTP and HTTPS, but not javascript: I recently changed the URL filtering function:

 function urlX(url) { if (/^https?:\/\//.test(url) || /^#/.test(url)) return url; }

(That is, #.... also allowed.)

I thought maybe I should ask if you think the #... links are safe?

(For example, the browser will not do anything crazy with links such as `href = '# javascript: ....'? Well, itโ€™s not (not my browser), but maybe there are others .. something else. .. what I do not know)

+4
source share
2 answers

This should be safe: everything after # in the URL is parsed by browsers as a fragment identifier .

Of course, if you have JavaScript on the page that reads this fragment identifier and does something insecure with it, then all bets are disabled. But keep in mind that in this case you have a more fundamental security problem that you need to fix.

Thereโ€™s not much to just ban links, than starting with # , as an attacker can still include the identifier of the malicious fragment in the full URL or even in a link pointing to your site from somewhere else.

+3
source

It is not safe. For example, there was a problem with XSS with jQuery $(location.hash) . There is PoC at http://ma.la/jquery_xss/ .

So either deny it or disinfect everything correctly after #

+3
source

Source: https://habr.com/ru/post/1394548/

More articles:


All Articles