This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Avoid the JavaScript Protocol to Open a new Window

From OWASP
Revision as of 17:46, 4 December 2011 by Jeremy.long (talk | contribs) (Created page with "The JavaScript Protocol should be avoided as it is extremely complicated to use safely with untrusted data. It is common to see the JavaScript protocol used to open a new window ...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The JavaScript Protocol should be avoided as it is extremely complicated to use safely with untrusted data. It is common to see the JavaScript protocol used to open a new window as such: 

<a href="javascript:window.open('http://www.w3schools.com/jsref/met_win_open.asp?
    value=<%=request.getParameter("value")%>', 'w3c','location=no')">Window.open() Method</a>

The above example is difficult to encode for safely due to the nesting of various contexts; in order these are: HTML Attribute, URL, JavaScript, URL. To make the encoding easier and increase the overall safety this can be refactored into the following: 

<a href="http://www.w3schools.com/jsref/met_win_open.asp?
    value=<%=EASPI.getEncoder().encodeForURL(request.getParameter("value"))%>" 
    onclick="window.open(this.href, 'w3c','location=no'); return false;">Window.open() Method</a>

The above simplifies the required encoding by removing the deep nesting of various contexts within the DOM. It is important to note that the onclick method must "return false;" in this scenario to prevent the window or frame from navigating to the URL specified.

Authors and Primary Editors

Jeremy Long - jeremy.long [at] owasp.org

Retrieved from "https://wiki.owasp.org/index.php?title=Avoid_the_JavaScript_Protocol_to_Open_a_new_Window&oldid=121083"