Wednesday, December 5, 2012

When relative paths go bad

Problem:
Relative urls on your website are suddenly using the wrong domain.

Cause:
It’s XSS (sort of).
<base> element will change the target of all relative urls on the page.
<base> is supposed to be in <head>, but Chrome (and possibly other browsers) will respect it when in <body>.

Solution:
Add <base> to the blacklisted elements on all of your user inputs.
Check existing user content. 
Use absolute urls.