[owasp-antisamy] onsiteURL question

Carlos Aguayo carlos.aguayo at gmail.com
Tue Aug 30 11:57:58 EDT 2011

I'd like to generate URLs that have colons (:) on it, example:

<a href="#entry:1234">myEntry</a>

The above gets currently filtered by the
because it doesn't have a colon on the regex. The regex for the ebay policy

<regexp name="onsiteURL"

If I add the colon on it works and then my use case is allowed,

<regexp name="onsiteURL" value="([\p{L}\p{N}\\\.\#@\$%\+&amp;;*:*

The scenario that we thought would be the reason to disallow a colon on it
would be for someone to try to inject JavaScript on it, example:

<a href="javascript:xss()">xss</a>

However that case is still filtered.

So the question is, does anyone know if it could become unsafe to have the
colon in the onsiteURL property?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110830/d50929a2/attachment.html 

More information about the Owasp-antisamy mailing list