Page 1 of 1

JavaScript Security.

Posted: Fri Jun 15, 2007 5:02 pm
by JellyFish
When I created a feature on my site, at the time, I didn't realize that allowing them to enter a web address allows them to insert "javascript: command" instead.

As I look back on this I say to myself "Well I could just use PHP to prevent such a href, simply!".

Is there any other hrefs that could pose a threat I'm not aware of?

Posted: Fri Jun 15, 2007 5:08 pm
by feyd
about: .. there are others.. read the browser security bulletins available in many locations.

Posted: Fri Jun 15, 2007 6:00 pm
by JellyFish
If I just insert the string "http://" in front of the href would this prevent the other protocols? E.g:

"www.example.com"

would be concatenated with "http://" like so:

"http://www.example.com"

as with:

"javascript: alert("Malicious");"

would be:

"http://javascipt: alert("Malicious");"

same with about and others except for strings that begin with "http://".

Would this solve the problem?

Posted: Fri Jun 15, 2007 6:08 pm
by feyd
And what of other proper protocols like https, ftp, ftps, among the many many others?

Posted: Fri Jun 15, 2007 7:43 pm
by superdezign
feyd wrote:And what of other proper protocols like https, ftp, ftps, among the many many others?
Speaking of many, many others, should a website that doesn't endorse software that handles other protocols allow them? Should they regex [\w]{3,5}://, or [\w]{3,}:// ? (Or specify the acceptable possibilities)

Posted: Fri Jun 15, 2007 7:50 pm
by feyd
That's a subjective question I cannot faithfully answer.

Posted: Sat Jun 16, 2007 12:07 am
by JellyFish
Wha?

The Hypertext-Transfer Protocol is the most popular among the web. I don't see why there would be a problem.

Also it depends on the crowed of people my website is expecting. And thoughs with usual web sites are expected and are expected to have the http protocol.

Name a handfull of website using another.

Posted: Sat Jun 16, 2007 12:35 am
by feyd
You obviously know more than me...

Posted: Sat Jun 16, 2007 11:13 am
by superdezign
:lol:

JellyFish, what are they entering the URL for? What does it do?

Posted: Sun Jun 17, 2007 3:19 pm
by JellyFish
It's a link to their website homepage.

Don't almost every website have the http protocol?
feyd wrote:You obviously know more than me...
I don't, sadly. :(

Posted: Sun Jun 17, 2007 4:28 pm
by superdezign
And https://. But what if the website that they want to share is a public ftp that they have? Unlikely, but completely possible.

I'd just check for a protocol, period, rather than force http:// on them, and force http:// on users that don't specify a protocol at all. The best apps are about flexibility.

Posted: Sun Jun 17, 2007 5:38 pm
by JellyFish
superdezign wrote:The best apps are about flexibility.
I understand. But the could always have website that redirects or that contains links to another protocol.

I'll have to make this decision on my own. Thanks for you input guys. :D

Posted: Sun Jun 17, 2007 6:52 pm
by superdezign
HTTP websites can redirect too...

Edit: Misread your post.

I understand it's "your decision" and all, but every little bit counts. No user likes to feel restricted.

Posted: Sun Jun 17, 2007 7:08 pm
by Luke
So the user should have to set up a redirect on their end just to be compatible with your application? Image

Posted: Sun Jun 17, 2007 9:13 pm
by JellyFish
So the user should have to set up a redirect on their end just to be compatible with your application?
True... It may suck, but who knows, it might work out. I'll see once I launch the site.