Javascript security?
Moderator: General Moderators
-
psychotomus
- Forum Contributor
- Posts: 487
- Joined: Fri Jul 11, 2003 1:59 am
Javascript security?
Here's what I want to do. I want to allow people to upload a zip of there web layout and it will extract to a directory http://blah.com/layout/index.htm
I am not to familar with Javascript so what kind of dangers could happen to my site by allowing people to run JavaScript located on my server? What kind of work-a-rounds are there to stop these dangers from happening?
I am not to familar with Javascript so what kind of dangers could happen to my site by allowing people to run JavaScript located on my server? What kind of work-a-rounds are there to stop these dangers from happening?
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Javascript security?
Allowing remote users to execute javascript on your site is extremely dangerous. The potential for defacing your site is very real, and could easily steal users cookies. It would be near impossible to filter out potential dangerous scripts, since javascript is highly dynamic.
Basically, you shouldn't do it.
Moved to Javascript forum.
Basically, you shouldn't do it.
Moved to Javascript forum.
Re: Javascript security?
what javascript has to do with uploading and unzipping the file
you have to setup your server in a way that all files in the unzipped folder will be forced to be downloaded and no files will be executed, no matter if they are php, jpg or anything else.
you have to setup your server in a way that all files in the unzipped folder will be forced to be downloaded and no files will be executed, no matter if they are php, jpg or anything else.
-
psychotomus
- Forum Contributor
- Posts: 487
- Joined: Fri Jul 11, 2003 1:59 am
Re: Javascript security?
Darhazer wrote:what javascript has to do with uploading and unzipping the file
you have to setup your server in a way that all files in the unzipped folder will be forced to be downloaded and no files will be executed, no matter if they are php, jpg or anything else.
i want to extract the contents of the zip to a directory then allow members to view the web template...
-
psychotomus
- Forum Contributor
- Posts: 487
- Joined: Fri Jul 11, 2003 1:59 am
Re: Javascript security?
John Cartwright wrote:Allowing remote users to execute javascript on your site is extremely dangerous. The potential for defacing your site is very real, and could easily steal users cookies. It would be near impossible to filter out potential dangerous scripts, since javascript is highly dynamic.
.
I dont want them to execute javascript. I want to avoid that problem =) W hat about removing all JS files from the package and removing any refrence to them?
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Javascript security?
psychotomus wrote:John Cartwright wrote:Allowing remote users to execute javascript on your site is extremely dangerous. The potential for defacing your site is very real, and could easily steal users cookies. It would be near impossible to filter out potential dangerous scripts, since javascript is highly dynamic.
.
I dont want them to execute javascript. I want to avoid that problem =) W hat about removing all JS files from the package and removing any refrence to them?
You need to word your questions better then. Even if you allow them to upload html they could use inline javascript. You basically would need to filter all the events possible... onclick(), onmouseover(), etc. Also need to filter for <script> tags. I am probably still missing something though.I am not to familar with Javascript so what kind of dangers could happen to my site by allowing people to run JavaScript located on my server? What kind of work-a-rounds are there to stop these dangers from happening?
It is just basically never a good idea to give users this kind of control.
Re: Javascript security?
If you need to filter HTML, you can use HTML Purifier
-
psychotomus
- Forum Contributor
- Posts: 487
- Joined: Fri Jul 11, 2003 1:59 am
Re: Javascript security?
I want to keep the html. Just filter JS. ;]
Re: Javascript security?
yeah, you can use HTML purifier for thispsychotomus wrote:I want to keep the html. Just filter JS. ;]
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Javascript security?
Good point. I had forgotten about HTML purifier.
+1
+1
-
psychotomus
- Forum Contributor
- Posts: 487
- Joined: Fri Jul 11, 2003 1:59 am
Re: Javascript security?
I'll take a look into HTML purifier.
thanks.