Re: AppSec FAQ at OWASP

["Laurian Gridinoc" <laur () gd ro>]

> I would like to know that how you deal with the false positive?
> In the case of " <img src= "javascript: preview(....)> or <img  
> src="javascript:window.close()>..etc..etc..
> If you escape the "(" and ")"  that means you render out the harmless  
> Javascript too.
> Omarjan Ismail

I would say that using unregistered schemes as 'javascript:' in 'src' or  
'href' attributes is bad design.
If you want to bind javascript to an element, use events.

Cheers,

Laurian Gridinoc
Chief Developer
GRAPEFRUIT DESIGN
www.grapefruitdesign.com