uri_schemes => [undef] opens door for javascript: scheme

Question

uri_schemes => [undef] opens door for javascript: scheme

jurajmajor opened this issue 6 years ago · comments

I tried the following:

my $r = new HTML::Restrict(
    rules   => { a => [ 'href' ] },
    uri_schemes => [ undef ],
);

for my $byte (1 .. 8, 14 .. 31) {
    say $r->process(qq(<a href="&#$byte;javascript:alert(1);">click me</a>));
}

None of these links are filtered, but if I open the output in a browser (tested in Firefox 60 and Chrome 70), Javascript gets executed after click on any link.

Same behaviour can be observed with hexadecimal entities (sprintf('&#x%x;', $byte)) or with chr($byte) instead of entities.

Maybe this is an issue of browsers behaving incorrectly, or of the URI module, but I guess it's better to let you know.

Olaf Alders · Answer 1 · Fri Dec 14 2018 03:39:59 GMT+0800 (China Standard Time)

Interesting. If you have a moment, could you create some failing tests for these scenarios and put them in a pull request? We could merge them when we have a look at fixing this.

Juraj Major · Answer 2 · Fri Dec 14 2018 04:12:46 GMT+0800 (China Standard Time)

Yes, I'll try to submit it later this week.