Security on javascript and html code

Forum Moderators: open

Message Too Old, No Replies

Security on javascript and html code

asdasd

7:21 am on Nov 10, 2004 (gmt 0)

Hi,

I am planning to allow public users to input whatever javascript, html code data into aForm textarea and output to a page.

May I know how secure is it? Can public run some javascript, dhtml or html code to retrieve sensitive information on my server?

Thanks,

Andy

RonPK

9:52 am on Nov 10, 2004 (gmt 0)

JavaScript can't read things on your server, as it is only executed client-side, ie on the visitor's PC.

On the visitor's PC JavaScript can read all the cookies that your server has sent to the visitor, and pass that information to the script author. This would enable session hijacking.

The script author would be in full control of your page:
document.body.style.display="none",
or
location="[any URL here]", or...

I recommend not allowing users to put JavaScript on your pages.

Leosghost

1:21 pm on Nov 10, 2004 (gmt 0)

And certainly not if they might upload the "horror" that hit my box ..1.39kb of encrypted system trasher ..still sorting out the damage ....Even if I have to admit it is asuperbly put together peice of code ..it's a PITA ..and you would n't want to host it ..