Page 1 of 1
JavaScript Security.
Posted: Fri Jun 15, 2007 5:02 pm
by JellyFish
When I created a feature on my site, at the time, I didn't realize that allowing them to enter a web address allows them to insert "javascript: command" instead.
As I look back on this I say to myself "Well I could just use PHP to prevent such a href, simply!".
Is there any other hrefs that could pose a threat I'm not aware of?
Posted: Fri Jun 15, 2007 5:08 pm
by feyd
about: .. there are others.. read the browser security bulletins available in many locations.
Posted: Fri Jun 15, 2007 6:00 pm
by JellyFish
If I just insert the string "http://" in front of the href would this prevent the other protocols? E.g:
"
www.example.com"
would be concatenated with "http://" like so:
"
http://www.example.com"
as with:
"javascript: alert("Malicious");"
would be:
"
http://javascipt: alert("Malicious");"
same with about and others except for strings that begin with "http://".
Would this solve the problem?
Posted: Fri Jun 15, 2007 6:08 pm
by feyd
And what of other proper protocols like https, ftp, ftps, among the many many others?
Posted: Fri Jun 15, 2007 7:43 pm
by superdezign
feyd wrote:And what of other proper protocols like https, ftp, ftps, among the many many others?
Speaking of many, many others, should a website that doesn't endorse software that handles other protocols allow them? Should they regex [\w]{3,5}://, or [\w]{3,}:// ? (Or specify the acceptable possibilities)
Posted: Fri Jun 15, 2007 7:50 pm
by feyd
That's a subjective question I cannot faithfully answer.
Posted: Sat Jun 16, 2007 12:07 am
by JellyFish
Wha?
The Hypertext-Transfer Protocol is the most popular among the web. I don't see why there would be a problem.
Also it depends on the crowed of people my website is expecting. And thoughs with usual web sites are expected and are expected to have the http protocol.
Name a handfull of website using another.
Posted: Sat Jun 16, 2007 12:35 am
by feyd
You obviously know more than me...
Posted: Sat Jun 16, 2007 11:13 am
by superdezign
JellyFish, what are they entering the URL for? What does it do?
Posted: Sun Jun 17, 2007 3:19 pm
by JellyFish
It's a link to their website homepage.
Don't almost every website have the http protocol?
feyd wrote:You obviously know more than me...
I don't, sadly.

Posted: Sun Jun 17, 2007 4:28 pm
by superdezign
And https://. But what if the website that they want to share is a public ftp that they have? Unlikely, but completely possible.
I'd just check for a protocol, period, rather than force http:// on them, and force http:// on users that don't specify a protocol at all. The best apps are about flexibility.
Posted: Sun Jun 17, 2007 5:38 pm
by JellyFish
superdezign wrote:The best apps are about flexibility.
I understand. But the could always have website that redirects or that contains links to another protocol.
I'll have to make this decision on my own. Thanks for you input guys.

Posted: Sun Jun 17, 2007 6:52 pm
by superdezign
HTTP websites can redirect too...
Edit: Misread your post.
I understand it's "your decision" and all, but every little bit counts. No user likes to feel restricted.
Posted: Sun Jun 17, 2007 7:08 pm
by Luke
So the user should have to set up a redirect on their end just to be compatible with your application?

Posted: Sun Jun 17, 2007 9:13 pm
by JellyFish
So the user should have to set up a redirect on their end just to be compatible with your application?
True... It may suck, but who knows, it might work out. I'll see once I launch the site.