SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Thread: Safe Templates

  1. #1
    SitePoint Guru brent5392's Avatar
    Join Date
    Dec 2005
    Location
    Australia
    Posts
    636
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Safe Templates

    How would I go about creating a script that would scan a template file for any traces of javascript? I know it would involve heavy use of preg_replace(), but I just dont know where to start on this, and how i can cover everything as easily as possible.

    Not only do I want the <script> tag to be detected, but also onLoad, onClick, etc to be found. I need to also make sure that this will not interfere with any other content on the page.
    PHP | MySQL | (X)HTML | CSS

  2. #2
    Non-Member
    Join Date
    Jul 2007
    Location
    Hobart, Australia
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How do you want to store what is found? Like - Just put each line that is found into an array? Or remove or replace the JavaScript code?

    Because it should be fairly straight forward to look for opening and closing <script> tags. Then you just need to look for each occurance of JavaScript used inside the HTML itself - like the onLoads and that.

    What exactly do you plan on using this for? Some more information would be desirable to work out the best solution.

  3. #3
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    http://ha.ckers.org/xss.html

    Lots of variations of how JavaScript can be embedded.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  4. #4
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  5. #5
    SitePoint Guru brent5392's Avatar
    Join Date
    Dec 2005
    Location
    Australia
    Posts
    636
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ajclifford View Post
    How do you want to store what is found? Like - Just put each line that is found into an array? Or remove or replace the JavaScript code?

    Because it should be fairly straight forward to look for opening and closing <script> tags. Then you just need to look for each occurance of JavaScript used inside the HTML itself - like the onLoads and that.

    What exactly do you plan on using this for? Some more information would be desirable to work out the best solution.
    I have two options, either deny the upload, or just remove the javascript. Removing it may seem the better option, for those who did not create the template themself and wouldnt know the solution.
    PHP | MySQL | (X)HTML | CSS

  6. #6
    SitePoint Guru brent5392's Avatar
    Join Date
    Dec 2005
    Location
    Australia
    Posts
    636
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @logic_earth: Wow is all I can say...

    @kyberfabrikken: Ah, that should save me some time... well... a lot of time.
    PHP | MySQL | (X)HTML | CSS


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •