# Prevent JavaScript links by parsing URLs

If you have a website that allows users to submit URLs, one of the (many many) things people will try to do to break your site is to submit URLs that use the javascript: protocol (rather than the more expected http: or https:). This is almost never something that you want, since it allows users to submit essentially arbitrary code that other users will run on click in the context of your domain (same origin policy).

So how do you fix it?

First thought would be to try to check the protocol:

> safe_url = (url) => !url.match(/^javascript:/)
[Function: safe_url]

> safe_url('http://www.example.com')
true

false


So what day was 9 days ago again?

\$ when 9 days ago

2014-07-13


# OpenID - Part 2

I wrote yesterday about getting OpenID up and running, but when I played with the code a bit more today, I realized that something funny was going on. Yahoo worked exactly as I expected, when I clicked on the link for the first time, it would take me to the Yahoo login page and then to a page to grant the proper permissions. All well and good. The same with Google.