Can Javascript be written in a html href tag?

I am trying to figure out all the ways javascript can be written. I am making a white list of acceptable tags however the attributes are getting me.

In my rich html editor I allow stuff like links.

<a href="">Hi </a>

Now I am using html agility pack to get rid of attributes I won't support and html tags for that matter开发者_运维问答.

However I am still unclear if a person could do something like this

<a href="<script>alert('hi')</script>">Bad </a>

So I am not sure if I have to start looking at the inner text of all attributes that I support and html encode them? Or if what.

I am also not sure how to prevent a html link that goes to some page and launches some javascript on load.

I am not sure if a white list can stop that one.

<a href="javascript:void(0)" onclick="alert('hi');">Bad</a>

or

<a href="javascript:alert('hi');">Bad</a>

If you're trying to write an XSS validator for user-entered HTML for production, I highly recommend you use an existing library. Even with the whitelist approach you are taking, there are many, many possible attribute values that can result in XSS. Search for "javascript:" in the XSS Cheat Sheet to see all sorts of places javascript: uris can turn up. Here is an incomplete list:

<IMG SRC="javascript:alert('XSS');">
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">

There are also ways to inject external script urls, like this:

<XSS STYLE="behavior: url(xss.htc);">

If you're writing this for your own education, then the XSS Cheat Sheet has some really great fodder for unit tests.

you can do this:

<a href="javascript:(function(){
    alert('hello');
})()">Hello</a>

if you want to get really crazy

Edit: I like this even better

<a onclick="alert(eval({Crazy:function(){alert('Hello');return 'World';}}).Crazy());">
    Crazy
</a>