Affected Tool or Page
Open Graph Inspector (tools/open-graph-inspector.html)
Bug Description
The Open Graph Inspector renders parsed metadata properties (like canonical URLs and favicons) as clickable links (<a>). However, it does not validate the protocol/scheme of the URL before putting it into the href attribute. As a result, a malicious page can supply a javascript: URI, which will execute in the user's browser context when clicked.
Steps to Reproduce
- Open the Open Graph Inspector tool (
tools/open-graph-inspector.html).
- Select "Paste HTML" mode.
- Paste the following snippet:
<link rel="canonical" href="javascript:alert(document.cookie)" />
- Click the "Analyze" button.
- In the "SEO Metadata" card, click the link next to "canonical".
- See the JavaScript execute (
alert(document.cookie) is fired).
Expected Behavior
Only safe protocols (http:, https:, or relative paths starting with /) should be rendered as clickable anchor tags, or unsafe protocols like javascript: should be blocked.
Actual Behavior
The javascript: URI is rendered directly in the href attribute and executed upon clicking.
Environment
Any browser, any OS.
Screenshots
No response
Pre-submission Checklist
Affected Tool or Page
Open Graph Inspector (
tools/open-graph-inspector.html)Bug Description
The Open Graph Inspector renders parsed metadata properties (like canonical URLs and favicons) as clickable links (
<a>). However, it does not validate the protocol/scheme of the URL before putting it into thehrefattribute. As a result, a malicious page can supply ajavascript:URI, which will execute in the user's browser context when clicked.Steps to Reproduce
tools/open-graph-inspector.html).alert(document.cookie)is fired).Expected Behavior
Only safe protocols (
http:,https:, or relative paths starting with/) should be rendered as clickable anchor tags, or unsafe protocols likejavascript:should be blocked.Actual Behavior
The
javascript:URI is rendered directly in thehrefattribute and executed upon clicking.Environment
Any browser, any OS.
Screenshots
No response
Pre-submission Checklist