Javascript protocol fuzz results. If your HTML sanitizer uses blacklisting rather than whitelisting here are a few more weird ways of injecting javascript: in to a link that you need to worry about—but you should really switch to whitelisting http:// and https:// instead.
Sign in with 
OpenID
While I don't see a reason not to whitelist those schemes, doing proper parsing of the HTML should also fix this, as it will write "jav�ascript:" as "jav&#56320ascript:" which should break the attack.
Ian Bicking - 30th June 2008 20:35 - #
Also, noting that parsers that don't resolve entities are crap. Python's HTMLParser included, of course.
Ian Bicking - 30th June 2008 20:37 - #