I am trying to figure out all the ways javascript can be written. I am making a white list of acceptable tags however the attributes are getting me.
In my rich html editor I allow stuff like links.
<a href="">Hi </a>
Now I am using html agility pack to get rid of attributes I won't support and html tags for that matter.
However I am still unclear if a person could do something like this
<a href="<script>alert('hi')</script>">Bad </a>
So I am not sure if I have to start looking at the inner text of all attributes that I support and html encode them? Or if what.
I am also not sure how to prevent a html link that goes to some page and launches some javascript on load.
I am not sure if a white list can stop that one.
<a href="javascript:void(0)" onclick="alert('hi');">Bad</a>
or
<a href="javascript:alert('hi');">Bad</a>