user
Reputation: 18569
Preventing XSS when using .attr('href', url) in jQuery
I want to update the href tag in jQuery. The data is untrusted. I'm trying to understand how can I craft a malicious input to cause an XSS type attack.
<a href='http://example.com' class='link'>Link</a>
My understanding is that the function below should terminate the href tag unexpectedly and create a new attribute onclick, but it doesn't work.
$('.link').on('click', function(e){
e.preventDefault();
$(this).attr('href',"' onclick='alert(\"ok\")'");
});
Here's the fiddle : http://jsfiddle.net/c1d7tuda/1/
P.S. End goal is to use _.escape() for HTML entities, but want to justify its usage.
Upvotes: 0
Views: 2917
Answers (1)
MrWerbenjagermanjensen
Reputation: 384
If you're updating the href attribute of your link using unvalidated user input, a malicious user could supply javascript:alert(0) as their href value. Then, if a user clicked on the link, it would execute the malicious user's arbitrary javascript.
Upvotes: 1
Related Questions
- JS Prevent XSS but allow HTML URL
- How to prevent against XSS located in Javascript HREF attribute?
- Is it possible to perform a XSS attack using jQuery's .attr("href", value) method for <a> tags?
- Is URL encoding sufficient for href attribute for protection against XSS?
- how to prevent xss of href attribute at the server side?
- jQuery safe injection of html
- Protect JQuery code against XSS
- Filter XSS in href attribute?
- href security, prevent xss attack
- Preventing the user from entering javascript instead of a url for use in an href