Validation logic against just javascript
is not enough. Instead, it should be
extended for vbscript
and data
as URLs with these schemes also allow
encoding the code with similar semantics as javascript
scheme.
URLs with the particular scheme javascript
allow encoding script when visited.
Although scripting helps create feature-rich web applications, it could also be
exploited for malicious purposes, making URLs from untrusted sources risky as
they might contain harmful code. And as URLs with vbscript
and data
schemes
are similar, it is recommended to reject the URLs with schemes - javascript
,
vbscript
and data
.
func validateURLScheme(rawURL string) string {
u, err := url.Parse(rawURL)
if err != nil || u.Scheme == "javascript" {
return "about:blank"
}
return rawURL
}
func validateURLScheme(rawURL string) string {
u, err := url.Parse(rawURL)
if err != nil || u.Scheme == "javascript" || u.Scheme == "data" || u.Scheme == "vbscript" {
return "about:blank"
}
return rawURL
}