Why is the use of TAB (%09) characters in the middle a 'javascript:' URL valid?

When an element is clicked, the link is followed and its URL is resolved. This causes the string to be processed by the basic URL parser.

In your example, the parameter is processed in the path state during which TAB (U+0009) characters, along with carriage return and line feed characters, are ignored, and therefore do not form part of the resolved URL.Why does anchor tag remove tab character in URL specified inside href attribute?

As per the specification of Basic URL Parser, the ASCII tab or newline will be removed from the URL (or just ignored).


I found an old discussion that you might find interesting for understanding the possible historical reasons behind this choice.

https://bugzilla.mozilla.org/show_bug.cgi?id=87298

That's a 19-year-old bug in Mozilla. The problem was that one website was not working as expected, because Mozilla didn't strip tab characters inside the URL in a link. The page worked as expected in Internet Explorer, which apparently ignored the tabs. Tabs are often used for indentation in HTML files, so sometimes you can expect a few tabs after a new line. Somebody cited a IETF standard suggesting that "whitespace should be ignored when extracting the URI". However, others were not fully convinced that removing all whitespace characters would be a good idea, because sometimes you might run across URIs with unencoded spaces (for example: https://www.example.com/path with spaces/), even though that would be wrong, at least according to current standards. Therefore they decided to just add tabs to the list of removed characters (carriage-return and line-feed characters were already being removed). Note though that spaces are allowed, and ignored, when they are at the beginning or at the end of the URI (example: <a href=" http://www.example.com "></a>).

So I suppose the historical reason for this choice is that they wanted to make sure the following code would work:

<!-- URL with new lines and TABS for indentation -->
<a href="https://www.example.com/?
         param1=foo&
         param2=bar">
   Click on this example link
</a>

<!-- URL with unencoded spaces -->
<a href="https://www.example.com/path with spaces/foo">Click here</a>

However they did not check exactly where the spaces or tabs were in the URL, they just decided to keep the spaces and remove the tabs. As a result, the first example doesn't work if you use spaces for indentation, and tab characters can be included anywhere in the URL without affecting anything (so even java<tab>script will be ok).

Tags:

Xss

Web Browser

Related

Is cell phone number based verification secure? Randomly selected words converted into sentence. Did I lose passphrase strength or gain it? Why does my digital bank need my phone date and hour to be correct? If hashing should occur server-side, how do you protect the plaintext in transit? Defending against DoS via product reservation Do I still need CSRF protection when SameSite is set to Lax? How can we eliminate passwords given the problems with biometric authentication? What information does ssh -vvv expose? Does legitimate tech support use remote control software? What is the suggested best practice for changing a user's email address? Are there security reasons for prohibiting universal mac address modification? How does releasing exfiltrated data increase the chances of an attacker getting caught?

Recent Posts