Simon Willison’s Weblog

Javascript protocol fuzz results. If your HTML sanitizer uses blacklisting rather than whitelisting here are a few more weird ways of injecting javascript: in to a link that you need to worry about—but you should really switch to whitelisting http:// and https:// instead.

Posted 30th June 2008 at 3:57 pm

Recent articles

My Lethal Trifecta talk at the Bay Area AI Security Meetup - 9th August 2025
The surprise deprecation of GPT-4o for ChatGPT consumers - 8th August 2025
GPT-5: Key characteristics, pricing and model card - 7th August 2025

blacklisting 2 firefox 90 fuzztesting 1 html 88 javascript 718 sanitization 2 security 534 whitelisting 7

Monthly briefing

Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments.

Pay me to send you less!

Sponsor & subscribe