uri_schemes => [undef] opens door for javascript: scheme
jurajmajor opened this issue · comments
I tried the following:
my $r = new HTML::Restrict(
rules => { a => [ 'href' ] },
uri_schemes => [ undef ],
);
for my $byte (1 .. 8, 14 .. 31) {
say $r->process(qq(<a href="&#$byte;javascript:alert(1);">click me</a>));
}
None of these links are filtered, but if I open the output in a browser (tested in Firefox 60 and Chrome 70), Javascript gets executed after click on any link.
Same behaviour can be observed with hexadecimal entities (sprintf('&#x%x;', $byte)
) or with chr($byte)
instead of entities.
Maybe this is an issue of browsers behaving incorrectly, or of the URI
module, but I guess it's better to let you know.
Interesting. If you have a moment, could you create some failing tests for these scenarios and put them in a pull request? We could merge them when we have a look at fixing this.
Yes, I'll try to submit it later this week.