This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Avoid the JavaScript Protocol to Open a new Window

Jump to: navigation, search

The JavaScript Protocol should be avoided as it is extremely complicated to use safely with untrusted data. It is common to see the JavaScript protocol used to open a new window as such:

<a href="'
    value=<%=request.getParameter("value")%>', 'w3c','location=no')"> Method</a>

The above example is difficult to encode safely due to the nesting of various contexts; in order these are: HTML Attribute, JavaScript, URL. To make the encoding easier and increase the overall safety this can be refactored into the following:

<a href="
    onclick=", 'w3c','location=no'); return false;"> Method</a>

The above simplifies the required encoding by removing the deep nesting of various contexts within the DOM. It is important to note that the onclick method must "return false;" in this scenario to prevent the window or frame from navigating to the URL specified.

Authors and Primary Editors

Jeremy Long - jeremy.long [at]