Simon Willison’s Weblog

30th June 2008 - Link Blog

Javascript protocol fuzz results. If your HTML sanitizer uses blacklisting rather than whitelisting here are a few more weird ways of injecting javascript: in to a link that you need to worry about—but you should really switch to whitelisting http:// and https:// instead.

Posted 30th June 2008 at 3:57 pm

Recent articles

Thoughts on OpenAI acquiring Astral and uv/ruff/ty - 19th March 2026
GPT-5.4 mini and GPT-5.4 nano, which can describe 76,000 photos for $52 - 17th March 2026
My fireside chat about agentic engineering at the Pragmatic Summit - 14th March 2026

This is a link post by Simon Willison, posted on 30th June 2008.

blacklisting 2 firefox 90 fuzztesting 1 html 95 javascript 745 sanitization 2 security 579 whitelisting 7

Monthly briefing

Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments.

Pay me to send you less!

Sponsor & subscribe