ansaurus

Question

Can Javascript be written in a html href tag?

Answer 1

+4 A:

<a href="javascript:void(0)" onclick="alert('hi');">Bad</a>

or

<a href="javascript:alert('hi');">Bad</a>

Duniyadnd 2010-06-18 23:57:35

Ah! Please people - stop putting "#" as the href for links that execute JavaScript. Use "javascript:void(0)" instead. That way the page doesn't scroll to the top when the link is clicked.

George Edison 2010-06-19 00:00:38

@George: Care to explain why?

Christopher Parker 2010-06-19 00:02:08

@Chris: I thought I did :)

George Edison 2010-06-19 00:03:53

@George - I removed it, though if that's your biggest issue, you can add a "return false" at the end of the onclick attribute.

Duniyadnd 2010-06-19 00:21:28

Answer 2

+1 A:

you can do this:

<a href="javascript:(function(){
    alert('hello');
})()">Hello</a>

if you want to get really crazy

Edit: I like this even better

<a onclick="alert(eval({Crazy:function(){alert('Hello');return 'World';}}).Crazy());">
    Crazy
</a>

Seattle Leonard 2010-06-18 23:59:46

you could put whole classes in there

Seattle Leonard 2010-06-19 00:00:27

You could even in theory import an external javascript file and access pretty much anything on the page and send it anywhere on the internet.

George Edison 2010-06-19 00:05:29

So how do you stop this with a whitelist( I am using html agility pack) without just not allowing links?

chobo2 2010-06-19 00:12:51

use regex to parse the href attribute and only allow fully qualified links. Something like ^http(s)?://(www\.)?(\w+\.)?(\w+)\.(com)$I know that's not completely right but I just wrote it on the fly

Seattle Leonard 2010-06-19 00:17:50

Ya that's what I actually did I used regex but apparently I still have to worry about UTF-8 Unicode encoding one, hex encoding, jav ascript , jav ascript. So I am not sure how to deal with them.

chobo2 2010-06-19 05:44:18

Answer 3

+2 A:

If you're trying to write an XSS validator for user-entered HTML for production, I highly recommend you use an existing library. Even with the whitelist approach you are taking, there are many, many possible attribute values that can result in XSS. Search for "javascript:" in the XSS Cheat Sheet to see all sorts of places javascript: uris can turn up. Here is an incomplete list:

<IMG SRC="javascript:alert('XSS');">
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">

There are also ways to inject external script urls, like this:

<XSS STYLE="behavior: url(xss.htc);">

If you're writing this for your own education, then the XSS Cheat Sheet has some really great fodder for unit tests.

Annie 2010-06-19 00:21:56

Naw I am not trying to use an XSS validator...I would use the one that comes with asp.net mvc. I am trying to make a whitelist.

chobo2 2010-06-19 00:48:26

Oh good :) But I think the cheat sheet still answers your question about all the ways JavaScript can be written.

Annie 2010-06-19 01:18:41

Hmm I am not sure how to handle a couple of these cases. UTF-8 Unicode encoding one, hex encoding, jav ascript , jav ascript. Httml agility pack helps me with the <script> ones but I don'tthink these ones.

chobo2 2010-06-19 05:43:19

Can the word javascript in these tags have any number of spaces(ie can you have j space a space v space a....

chobo2 2010-06-19 06:07:47

No spaces in "javascript" -- but it can be any case, and have spaces (and looks like some other special chars) before and after "javascript".

Annie 2010-06-19 06:15:29

ansaurus

tags:

views:

answers:

Can Javascript be written in a html href tag?

related questions