Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't see why javascript: is fundamentally different than other XSS vectors


because for other types of injections Yesod WILL actually properly encode <script> tags and make them &lt;script&gt; which will prevent SOME XSS exploits

but it doesn't prevent all of them


This is not true, at least not anymore.

Yesod uses xss-sanitize [0], and their sanitize function does indeed prevent "javascript:" attempts. They even have a test case for it [1].

Playing around with it in the REPL:

  Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=javascript:alert('XSS')>"
  "<img>"
  Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=\"javascript:alert('XSS')\">"
  "<img>"
  Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=fine>"
  "<img src=\"fine\">"
  Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=\"this is ok too\">"
  "<img src=\"this is ok too\">"
[0]: https://hackage.haskell.org/package/xss-sanitize

[1]: https://github.com/yesodweb/haskell-xss-sanitize/blob/9a9101...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: