SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Hybrid View

  1. #1
    SitePoint Enthusiast
    Join Date
    Nov 2004
    Location
    NJ
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Dynamic HTML viewer

    Hi all,

    Don't ask why, but I developed a way to dynamically view the output of HTML onto a div element. Here's the relevant code:

    Code:
    <SCRIPT LANGUAGE="JavaScript" TYPE="Text/Javascript">
    function update(){
      document.getElementById('targetA').innerHTML=document.getElementById('targetB').value;
    }
    </script>
    
    <textarea onKeydown="update()" id="targetB" style="width:100&#37;;">
    <div id="targetA" style="position:absolute; border:1px solid #777777; background-color:ffffff; padding:20px;"> &nbsp;  &nbsp; </div>
    Basically, for the purposes of what I am doing, it would be nice if I could put this online and allow people to dynamically build a web page or part of a web page right there.

    Now, I am expecting someone to bonk me on the head with the pretense that there is a huge security hole in this. The only problem is, I personally can't think of one. Yes, you can type something like:

    Code:
    <iframe src="http://www.google.com"></iframe>
    and have it load an iframe with google loaded in it. So basically I would like to request that someone please point out some obvious security hole that isn't so obvious to me right now so I don't get my hopes up of actually being able to use this.

    Thanks in advance

  2. #2
    SitePoint Guru
    Join Date
    Apr 2006
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The security worry is that the owner of a site that accepts input will mine the input for nefarious commercial or political reasons.

    Just saying you won't usually isn't enough to overcome reasonable skepticism.

  3. #3
    SitePoint Enthusiast
    Join Date
    Nov 2004
    Location
    NJ
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Although you make a good point, I meant security more in terms of someone actually using something like that to hack the site. Would you know anything about that?

  4. #4
    SitePoint Zealot
    Join Date
    Jan 2007
    Location
    Australia
    Posts
    137
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can't actually hack the site using that unless you're then inserting their HTML into a database or storing it on your server. If users insert bad HTML, it'll just affect their own computer, as that's where it's being executed. If you are inserting their HTML into a database, only output it to that user and make sure everything is escaped (mysql_real_escape_string() in PHP will do).


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •