JavaScript Security.
Moderator: General Moderators
JavaScript Security.
When I created a feature on my site, at the time, I didn't realize that allowing them to enter a web address allows them to insert "javascript: command" instead.
As I look back on this I say to myself "Well I could just use PHP to prevent such a href, simply!".
Is there any other hrefs that could pose a threat I'm not aware of?
As I look back on this I say to myself "Well I could just use PHP to prevent such a href, simply!".
Is there any other hrefs that could pose a threat I'm not aware of?
If I just insert the string "http://" in front of the href would this prevent the other protocols? E.g:
"www.example.com"
would be concatenated with "http://" like so:
"http://www.example.com"
as with:
"javascript: alert("Malicious");"
would be:
"http://javascipt: alert("Malicious");"
same with about and others except for strings that begin with "http://".
Would this solve the problem?
"www.example.com"
would be concatenated with "http://" like so:
"http://www.example.com"
as with:
"javascript: alert("Malicious");"
would be:
"http://javascipt: alert("Malicious");"
same with about and others except for strings that begin with "http://".
Would this solve the problem?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Speaking of many, many others, should a website that doesn't endorse software that handles other protocols allow them? Should they regex [\w]{3,5}://, or [\w]{3,}:// ? (Or specify the acceptable possibilities)feyd wrote:And what of other proper protocols like https, ftp, ftps, among the many many others?
Wha?
The Hypertext-Transfer Protocol is the most popular among the web. I don't see why there would be a problem.
Also it depends on the crowed of people my website is expecting. And thoughs with usual web sites are expected and are expected to have the http protocol.
Name a handfull of website using another.
The Hypertext-Transfer Protocol is the most popular among the web. I don't see why there would be a problem.
Also it depends on the crowed of people my website is expecting. And thoughs with usual web sites are expected and are expected to have the http protocol.
Name a handfull of website using another.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
And https://. But what if the website that they want to share is a public ftp that they have? Unlikely, but completely possible.
I'd just check for a protocol, period, rather than force http:// on them, and force http:// on users that don't specify a protocol at all. The best apps are about flexibility.
I'd just check for a protocol, period, rather than force http:// on them, and force http:// on users that don't specify a protocol at all. The best apps are about flexibility.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm