Wednesday, December 5, 2012

When relative paths go bad

Relative urls on your website are suddenly using the wrong domain.

It’s XSS (sort of).
<base> element will change the target of all relative urls on the page.
<base> is supposed to be in <head>, but Chrome (and possibly other browsers) will respect it when in <body>.

Add <base> to the blacklisted elements on all of your user inputs.
Check existing user content. 
Use absolute urls.