- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 7 Dec 2009 06:05:24 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, Maciej Stachowiak <mjs@apple.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Sun, 6 Dec 2009, Adam Barth wrote: > > In some sense, a site needs to vet all URLs for javascript URLs, but > this behavior means that every time you see "javascript:" in an XSS > filter, they're probably insecure unless you also see "data:" right next > door. (By the way, I'd imagine data URLs in a@href is a more common XSS > hole than iframe@src.) If you're blacklisting URL schemes, instead of whitelisting URLs you think are safe, then you're in all kinds of trouble anyway. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 7 December 2009 06:06:02 UTC