Javascript security?

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
psychotomus
Forum Contributor
Posts: 487
Joined: Fri Jul 11, 2003 1:59 am

Javascript security?

Post by psychotomus »

Here's what I want to do. I want to allow people to upload a zip of there web layout and it will extract to a directory http://blah.com/layout/index.htm

I am not to familar with Javascript so what kind of dangers could happen to my site by allowing people to run JavaScript located on my server? What kind of work-a-rounds are there to stop these dangers from happening?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Javascript security?

Post by John Cartwright »

Allowing remote users to execute javascript on your site is extremely dangerous. The potential for defacing your site is very real, and could easily steal users cookies. It would be near impossible to filter out potential dangerous scripts, since javascript is highly dynamic.

Basically, you shouldn't do it.


Moved to Javascript forum.
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Javascript security?

Post by Darhazer »

what javascript has to do with uploading and unzipping the file

you have to setup your server in a way that all files in the unzipped folder will be forced to be downloaded and no files will be executed, no matter if they are php, jpg or anything else.
psychotomus
Forum Contributor
Posts: 487
Joined: Fri Jul 11, 2003 1:59 am

Re: Javascript security?

Post by psychotomus »

Darhazer wrote:what javascript has to do with uploading and unzipping the file

you have to setup your server in a way that all files in the unzipped folder will be forced to be downloaded and no files will be executed, no matter if they are php, jpg or anything else.

i want to extract the contents of the zip to a directory then allow members to view the web template...
psychotomus
Forum Contributor
Posts: 487
Joined: Fri Jul 11, 2003 1:59 am

Re: Javascript security?

Post by psychotomus »

John Cartwright wrote:Allowing remote users to execute javascript on your site is extremely dangerous. The potential for defacing your site is very real, and could easily steal users cookies. It would be near impossible to filter out potential dangerous scripts, since javascript is highly dynamic.
.

I dont want them to execute javascript. I want to avoid that problem =) W hat about removing all JS files from the package and removing any refrence to them?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Javascript security?

Post by John Cartwright »

psychotomus wrote:
John Cartwright wrote:Allowing remote users to execute javascript on your site is extremely dangerous. The potential for defacing your site is very real, and could easily steal users cookies. It would be near impossible to filter out potential dangerous scripts, since javascript is highly dynamic.
.

I dont want them to execute javascript. I want to avoid that problem =) W hat about removing all JS files from the package and removing any refrence to them?
I am not to familar with Javascript so what kind of dangers could happen to my site by allowing people to run JavaScript located on my server? What kind of work-a-rounds are there to stop these dangers from happening?
You need to word your questions better then. Even if you allow them to upload html they could use inline javascript. You basically would need to filter all the events possible... onclick(), onmouseover(), etc. Also need to filter for <script> tags. I am probably still missing something though.

It is just basically never a good idea to give users this kind of control.
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Javascript security?

Post by Darhazer »

If you need to filter HTML, you can use HTML Purifier
psychotomus
Forum Contributor
Posts: 487
Joined: Fri Jul 11, 2003 1:59 am

Re: Javascript security?

Post by psychotomus »

I want to keep the html. Just filter JS. ;]
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Javascript security?

Post by Darhazer »

psychotomus wrote:I want to keep the html. Just filter JS. ;]
yeah, you can use HTML purifier for this :)
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Javascript security?

Post by John Cartwright »

Good point. I had forgotten about HTML purifier.

+1
psychotomus
Forum Contributor
Posts: 487
Joined: Fri Jul 11, 2003 1:59 am

Re: Javascript security?

Post by psychotomus »

I'll take a look into HTML purifier. ;) thanks.
Post Reply