Welcome! » Log In » Create A New Profile

javascript URL in href purified away

Posted by BreT 
BreT
javascript URL in href purified away
September 05, 2007 11:21AM

Hello, I've got a problem with this great tool. I want to allow javascript calls in the href Attribute of the Element a such as:

<a href="javascript:openWindow(&#039;http://link/to/popup&#039;);">pop it up</a>

The function openWindow should open up the popup with the given link, but the HTMLPurifier purifies this code away! What can I do now? Are there any ways to allow this call?

So Long, BreT

Re: javascript URL in href purified away
September 05, 2007 02:20PM

A workaround that doesn't address the issue with HP:

The better and more standard-compliant (?) way is to use

<a href="http://link/to/popup" onclick="javascript:openWindow(this.href); return false;">pop it up</a>

This way the link is accessible on non-Javascript-enabled clients.

Re: javascript URL in href purified away
September 05, 2007 07:14PM

JavaScript will never be allowed in URLs unless it's for a trusted user (and as of right now, the architecture of our system doesn't accommodate for something like that). My suggestion is to use some external JavaScript to attach onClick event handlers to all user given links (you can search for a nodes inside an element with an ID) that pop open new windows.

Personally though, I find that sort of behavior annoying and disruptive. Also consider target="_blank" as a possible alternative.

BreT
Re: javascript URL in href purified away
September 06, 2007 08:05AM

Thank you for your posts. I've solved the problem as follows:

  • Extracting all href Attributes
  • Purifying the Code
  • Inserting all href Attributes

In this way I can allow <a href="javascript:function(param);">pop it up</a>

Re: javascript URL in href purified away
September 06, 2007 03:15PM

Nooo! Bad idea! That means arbitrary JavaScript can be put in the href attributes! Instant XSS!

Apologies for all the exclamation marks.

BreT
Re: javascript URL in href purified away
September 12, 2007 07:42AM

Slow down, I'm using HTML Purifier to filter the bad code created by TinyMCE in the backend of my website. This means no user will ever put in some bad javascript! Right? so long BreT

Re: javascript URL in href purified away
September 12, 2007 01:26PM

No. TinyMCE does contain some filtering capabilities, but they are not to be trusted, as they can be disabled by an unsavory user. ALL USER INPUT MUST BE VALIDATED SERVER-SIDE!

H
Re: javascript URL in href purified away
January 30, 2010 05:33PM

I need a workaround for this too... I want popup, not _blank... -.-

Re: javascript URL in href purified away
January 30, 2010 06:35PM

Can you attach the pop-up handler to the links at runtime using JavaScript that walks the DOM?

Gabriel
Re: javascript URL in href purified away
September 07, 2010 08:35PM

I'm looking to use the current url javascript function for my site's social networking tools.

http://www.galonet.com

I need to parse the current url into an anchor text like so:

<li><a title="Share this Page on Twitter" href="http://twitter.com/home?status=Galonet+will+boost+Ur+web+traffic+<?php echo curPageURL();?>" target="_blank">ReTweet</a>&nbsp;&nbsp;</li> 

The above implementation is done in Php, and works fine, but I have a need to create the same result via javascript.

Any help is much appreciated.

Edited 1 time(s). Last edit at 09/08/2010 01:03PM by Ambush Commander.

Sorry, you do not have permission to post/reply in this forum.