Simon Willison’s Weblog


Watch out for Javascript in referrals

20th February 2003

Here’s a good reminder why you should always encode < and > as HTML entities when displaying content from an untrusted (i.e external) source: Kasia in a nutshell was hit by a false referrer containing javascript deliberately aimed at hijacking the page the referrer was displayed on:


She even got a link from The Register for her troubles.

This is Watch out for Javascript in referrals by Simon Willison, posted on 20th February 2003.

Next: More Python advocacy

Previous: Get a better browser!

Previously hosted at