JavaScript Security.

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

JavaScript Security.

Post by JellyFish »

When I created a feature on my site, at the time, I didn't realize that allowing them to enter a web address allows them to insert "javascript: command" instead.

As I look back on this I say to myself "Well I could just use PHP to prevent such a href, simply!".

Is there any other hrefs that could pose a threat I'm not aware of?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

about: .. there are others.. read the browser security bulletins available in many locations.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

If I just insert the string "http://" in front of the href would this prevent the other protocols? E.g:

"www.example.com"

would be concatenated with "http://" like so:

"http://www.example.com"

as with:

"javascript: alert("Malicious");"

would be:

"http://javascipt: alert("Malicious");"

same with about and others except for strings that begin with "http://".

Would this solve the problem?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

And what of other proper protocols like https, ftp, ftps, among the many many others?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

feyd wrote:And what of other proper protocols like https, ftp, ftps, among the many many others?
Speaking of many, many others, should a website that doesn't endorse software that handles other protocols allow them? Should they regex [\w]{3,5}://, or [\w]{3,}:// ? (Or specify the acceptable possibilities)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

That's a subjective question I cannot faithfully answer.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Wha?

The Hypertext-Transfer Protocol is the most popular among the web. I don't see why there would be a problem.

Also it depends on the crowed of people my website is expecting. And thoughs with usual web sites are expected and are expected to have the http protocol.

Name a handfull of website using another.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You obviously know more than me...
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

:lol:

JellyFish, what are they entering the URL for? What does it do?
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

It's a link to their website homepage.

Don't almost every website have the http protocol?
feyd wrote:You obviously know more than me...
I don't, sadly. :(
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

And https://. But what if the website that they want to share is a public ftp that they have? Unlikely, but completely possible.

I'd just check for a protocol, period, rather than force http:// on them, and force http:// on users that don't specify a protocol at all. The best apps are about flexibility.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

superdezign wrote:The best apps are about flexibility.
I understand. But the could always have website that redirects or that contains links to another protocol.

I'll have to make this decision on my own. Thanks for you input guys. :D
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

HTTP websites can redirect too...

Edit: Misread your post.

I understand it's "your decision" and all, but every little bit counts. No user likes to feel restricted.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

So the user should have to set up a redirect on their end just to be compatible with your application? Image
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

So the user should have to set up a redirect on their end just to be compatible with your application?
True... It may suck, but who knows, it might work out. I'll see once I launch the site.
Post Reply