Prevent JavaScript links by parsing URLs

2019-05-02

If you have a website that allows users to submit URLs, one of the (many many) things people will try to do to break your site is to submit URLs that use the javascript: protocol (rather than the more expected http: or https:). This is almost never something that you want, since it allows users to submit essentially arbitrary code that other users will run on click in the context of your domain (same origin policy).

So how do you fix it?

First thought would be to try to check the protocol:

> safe_url = (url) => !url.match(/^javascript:/)
[Function: safe_url]

> safe_url('http://www.example.com')
true

> safe_url('javascript:alert(1)')
false

read more...

OpenID - Part 2

2012-07-20
I wrote yesterday about getting OpenID up and running, but when I played with the code a bit more today, I realized that something funny was going on. Yahoo worked exactly as I expected, when I clicked on the link for the first time, it would take me to the Yahoo login page and then to a page to grant the proper permissions. All well and good. The same with Google.

read more...

Adventures in OpenID land

2012-07-19
Today I started working on a little webapp. It’s mostly to get me back in practice writing website code, but it does hopefully have the side effect of being useful. More on that later though, perhaps when it’s actually working. In any case, the first thing that I wanted to do for this app was to set up some sort of authentication system. Since I don’t have HTTPS set up at the moment with my webhost (Dreamhost; they really are pretty good to work with and far better than my previous host) and it doesn’t really make as much sense to send passwords in plaintext over the network, I decided to go ahead and give OpenID a try.

read more...