Simon Willison’s Weblog

Subscribe

Watch out for Javascript in referrals

20th February 2003

Here’s a good reminder why you should always encode < and > as HTML entities when displaying content from an untrusted (i.e external) source: Kasia in a nutshell was hit by a false referrer containing javascript deliberately aimed at hijacking the page the referrer was displayed on:

<script>top.location.href='http://redirect_to_this_assholes_page';</script>

She even got a link from The Register for her troubles.

Posted 20th February 2003 at 5:38 pm · Follow me on Mastodon, Bluesky, Twitter or subscribe to my newsletter

More recent articles

This is Watch out for Javascript in referrals by Simon Willison, posted on 20th February 2003.

Next: More Python advocacy

Previous: Get a better browser!

Monthly briefing

Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments.

Pay me to send you less!

Sponsor & subscribe

Previously hosted at http://simon.incutio.com/archive/2003/02/20/referrerJavascriptWarning