I ran across a bit of obscure web app code today which returns the user a page containing the referrer provided by the browser. My initial reaction was that this opened the page up to HTML injection attacks, but I’m not quite sure how it could be exploited. From a bit of research, all I could come up with were references to systems which stored and returned the referrer (for those little referrer logs which used to be common in blogs). In this specific code however, the referrer is only returned the referrer to the original requester.
I have a feeling something could be crafted by getting the victim to go to a page with a controlled URL, then click a link through to the vulnerable page. I’m not sure, however, if this would work. Perhaps, for example, the common browsers stop this by URL encode the referrer URL. I’m not going to look into it seriously at the moment, and obviously the code is better off secured anyway, but it would be interesting to know if this is a problem.