Skip to content

Bug: JavaScript URI Execution (DOM XSS) via Clickable Metadata Links #353

Description

@devprashant19

Affected Tool or Page

Open Graph Inspector (tools/open-graph-inspector.html)

Bug Description

The Open Graph Inspector renders parsed metadata properties (like canonical URLs and favicons) as clickable links (<a>). However, it does not validate the protocol/scheme of the URL before putting it into the href attribute. As a result, a malicious page can supply a javascript: URI, which will execute in the user's browser context when clicked.

Steps to Reproduce

  1. Open the Open Graph Inspector tool (tools/open-graph-inspector.html).
  2. Select "Paste HTML" mode.
  3. Paste the following snippet:
    <link rel="canonical" href="javascript:alert(document.cookie)" />
  4. Click the "Analyze" button.
  5. In the "SEO Metadata" card, click the link next to "canonical".
  6. See the JavaScript execute (alert(document.cookie) is fired).

Expected Behavior

Only safe protocols (http:, https:, or relative paths starting with /) should be rendered as clickable anchor tags, or unsafe protocols like javascript: should be blocked.

Actual Behavior

The javascript: URI is rendered directly in the href attribute and executed upon clicking.

Environment

Any browser, any OS.

Screenshots

No response

Pre-submission Checklist

  • I have checked existing issues for duplicates.
  • I have tested this in at least one modern browser.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions