I thought it would be great to quickly share some interesting stuff I noticed about the way the different browsers handle the javascript location object, but first a few words about the object’s properties and what they contain:
- hash – everything after the # (anchor) in the URL
- host – the hostname and port
- hostname – the hostname
- href – the full URL
- pathname – path to the requested file
- port, protocol – i think these speaks for themselfs
- search – the query string (~GET parameters)
- target – the url link’s target name
What is so interesting about these parameters? Well it seems that the different browsers handle the values in them differently and if they are written back to the html with javascript (for example with document.write) they can easily lead to cross-site-scripting. Here is the summary about the parameters I found “interesting” (not encoded by the browser):
| IE 8 | Firefox 3.6.3 | Chrome 4.1.249.1064 | Opera 10.53 | |
|---|---|---|---|---|
| location.hash | not encoded | not encoded | not encoded | not encoded |
| location.href | not encoded | encoded | not encoded (the hash in it is not encoded) | not encoded (the hash in it is not encoded) |
| location.search | not encoded | encoded | encoded | encoded |
I used the following simple html site to check the parameters:
<html><head><title>location object XSS test</title></head><body><script>document.write(“HASH: “+location.hash+”<br>”)document.write(“HOST: “+location.host+”<br>”)document.write(“HOSTNAME: “+location.hostname+”<br>”)document.write(“HREF: “+location.href+”<br>”)document.write(“PATHNAME: “+location.pathname+”<br>”)document.write(“PORT: “+location.port+”<br>”)document.write(“PROTOCOL: “+location.protocol+”<br>”)document.write(“SEARCH: “+location.search+”<br>”)document.write(“TARGET: “+location.target+”<br>”)</script></body></html>
For example the result on Firefox was:
On Internet Explorer 8:
I don’t know if this is intended in the different browsers, but one thing is sure: if it is avoidable try not to use javascript to work with changeable parameters or at least encode everything by hand as well 
.
I haven’t really played yet with parameter pathname and target, but I think it is possible to get similar results. The browsers act differently if the url comes from a link or is entered directly to the browser… I will check these later and update the table…
I don’t think these are vulnerabilities in the browsers, but in some (very limited) scenarios they can be exploited, so I thought it worths a post. Don’t be afraid to comment 
By the way: did you notice that if you copy out the url of an opened site from Firefox’s navigation bar it will be urlencoded?
Just a tip: the location.hash values are not escaped in Firefox such as “script”, “iframe” or “a” tags… IE is not affected as I see…