Removing Javascript from HREFs

We want to allow "normal" href links to other webpages, but we don't want to allow anyone to sneak in client-side scripting.

Is searching for "javascript:" within the HREF and onclick/onmouseover/etc. events good enough? Or are there other things to check?

Answers


It sounds like you're allowing users to submit content with markup. As such, I would recommend taking a look at a few articles about preventing cross-site scripting which would cover a bit more than simply preventing javascript from being inserted into an HREF tag. Below is one I found that might be useful:

http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html


Need Your Help

How to make items on a rails form sortable

javascript ruby-on-rails-4

Using Rails 4 and Ruby 1.9.3. Styling is handled by an internally developed gem based on bootstrap 3.

Boost serilaization with shared pointer and templates

c++ serialization boost boost-serialization

I'm new to C++ and how do i serialize the struct having shared pointer and template .

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.