Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Watch out for Javascript in referrals

Here’s a good reminder why you should always encode < and > as HTML entities when displaying content from an untrusted (i.e external) source: Kasia in a nutshell was hit by a false referrer containing javascript deliberately aimed at hijacking the page the referrer was displayed on:

<script>top.location.href='http://redirect_to_this_assholes_page';</script>

She even got a link from The Register for her troubles.

Posted 20th February 2003 at 5:38 pm

This is Watch out for Javascript in referrals by Simon Willison, posted on 20th February 2003.

View blog reactions

Next: More Python advocacy

Previous: Get a better browser!

1 comment

  1. For sake of accuracy, I wasn't the one hit with this (I don't display referers on my blog) -- I just spotted another blog hijacked that way.

    kasia - 21st February 2003 20:39 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2003/02/20/referrerJavascriptWarning

A django site