Page 1 of 1

Javascript security?

Posted: Thu Feb 10, 2011 8:26 am
by psychotomus
Here's what I want to do. I want to allow people to upload a zip of there web layout and it will extract to a directory http://blah.com/layout/index.htm

I am not to familar with Javascript so what kind of dangers could happen to my site by allowing people to run JavaScript located on my server? What kind of work-a-rounds are there to stop these dangers from happening?

Re: Javascript security?

Posted: Thu Feb 10, 2011 8:54 am
by John Cartwright
Allowing remote users to execute javascript on your site is extremely dangerous. The potential for defacing your site is very real, and could easily steal users cookies. It would be near impossible to filter out potential dangerous scripts, since javascript is highly dynamic.

Basically, you shouldn't do it.


Moved to Javascript forum.

Re: Javascript security?

Posted: Thu Feb 10, 2011 9:35 am
by Darhazer
what javascript has to do with uploading and unzipping the file

you have to setup your server in a way that all files in the unzipped folder will be forced to be downloaded and no files will be executed, no matter if they are php, jpg or anything else.

Re: Javascript security?

Posted: Thu Feb 10, 2011 12:16 pm
by psychotomus
Darhazer wrote:what javascript has to do with uploading and unzipping the file

you have to setup your server in a way that all files in the unzipped folder will be forced to be downloaded and no files will be executed, no matter if they are php, jpg or anything else.

i want to extract the contents of the zip to a directory then allow members to view the web template...

Re: Javascript security?

Posted: Thu Feb 10, 2011 12:18 pm
by psychotomus
John Cartwright wrote:Allowing remote users to execute javascript on your site is extremely dangerous. The potential for defacing your site is very real, and could easily steal users cookies. It would be near impossible to filter out potential dangerous scripts, since javascript is highly dynamic.
.

I dont want them to execute javascript. I want to avoid that problem =) W hat about removing all JS files from the package and removing any refrence to them?

Re: Javascript security?

Posted: Thu Feb 10, 2011 12:21 pm
by John Cartwright
psychotomus wrote:
John Cartwright wrote:Allowing remote users to execute javascript on your site is extremely dangerous. The potential for defacing your site is very real, and could easily steal users cookies. It would be near impossible to filter out potential dangerous scripts, since javascript is highly dynamic.
.

I dont want them to execute javascript. I want to avoid that problem =) W hat about removing all JS files from the package and removing any refrence to them?
I am not to familar with Javascript so what kind of dangers could happen to my site by allowing people to run JavaScript located on my server? What kind of work-a-rounds are there to stop these dangers from happening?
You need to word your questions better then. Even if you allow them to upload html they could use inline javascript. You basically would need to filter all the events possible... onclick(), onmouseover(), etc. Also need to filter for <script> tags. I am probably still missing something though.

It is just basically never a good idea to give users this kind of control.

Re: Javascript security?

Posted: Fri Feb 11, 2011 4:47 am
by Darhazer
If you need to filter HTML, you can use HTML Purifier

Re: Javascript security?

Posted: Fri Feb 11, 2011 5:01 am
by psychotomus
I want to keep the html. Just filter JS. ;]

Re: Javascript security?

Posted: Fri Feb 11, 2011 5:20 am
by Darhazer
psychotomus wrote:I want to keep the html. Just filter JS. ;]
yeah, you can use HTML purifier for this :)
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications

Re: Javascript security?

Posted: Fri Feb 11, 2011 8:50 am
by John Cartwright
Good point. I had forgotten about HTML purifier.

+1

Re: Javascript security?

Posted: Sun Feb 13, 2011 9:24 am
by psychotomus
I'll take a look into HTML purifier. ;) thanks.