Best IT Recipes

Refused to execute JavaScript script. Script source code found in request

In WebKit, I get the following error in my JavaScript:

Refused to execute JavaScript script. The source code for the script was found in the request.

Code for JavaScript spinners, see ASCII Art .

The code used to work is OK and still works correctly in Camino and Firefox. It seems that an error occurs when the page is saved via POST and then retrieved via GET. This happens on both Chrome / Mac and Safari / Mac.

Does anyone know what this means and how to fix it?

+79
javascript code-injection
Oct 10 '09 at 12:59
source share
5 answers

This is a security measure that prevents XSS attacks (cross-site scripting) .

This happens when some JavaScript code is sent to the server through an HTTP POST request, and the same code is returned via an HTTP response. If Chrome detects this situation, the script will be refused to run, and you will receive the error message Refused to execute a JavaScript script. Source code of script found within request Refused to execute a JavaScript script. Source code of script found within request .

Also see this security in depth blog post : new security features .

+65
Oct 10 '09 at 13:03
source share

This β€œfeature” can be disabled by sending a non-standard X-XSS-Protection HTTP header on the affected page.

 X-XSS-Protection: 0
+129
Mar 02 '12 at 19:59
source share

Short answer : refresh the page after first sending javascript or click on the url that will display the page you are editing.

Long answer : because the text you filled in the form includes javascript, and the browser does not necessarily know that you are the source of javascript, it is safer for the browser to assume that you are not the source of this JS and do not run it.

An example . Suppose I gave you a link to your email or facebook with some javascript. And imagine javascript tell all its friends my cool link. So, the game about getting this link to be called becomes simple, find a place to send javascript so that it is included in the page.

Chrome and other WebKit browsers try to reduce this risk by not executing any javascript that is in the response if it was present in the request. My vile attack will be thwarted because your browser will never launch this JS.

In your case, you submit it to the form field. A message in the form field will display the page on which Javascript will be displayed, causing the browser to worry. However, if your javascript is really saved, hitting the same page without submitting the form will allow you to execute it.

+13
Oct 16
source share

As others have said, this happens when the HTTP response contains a string of JavaScript and / or HTML, also contained in the request. This is usually caused by entering JS or HTML in the form field, but it can also be launched in other ways, such as manually adjusting the URL parameters.

The problem is that someone with bad intentions can put any JS that they want as a value, link to this URL with a malicious JS value and cause problems with their users.

In almost every case, this can be fixed using HTML encoding the response , although there are exceptions. For example, it will not be safe for content inside the <script> . Other specific cases can be handled differently - for example, entering input into a URL is better served by URL encoding.

As Kendall Hopkins mentioned, there may be several occasions when you really want JavaScript from the form inputs to execute, for example, creating an application like JSFiddle . In such cases, I would recommend that you at least wash the input in your backend code before writing it blindly. After that, you can use the method that he mentioned to prevent XSS blocking (at least in Chrome), but keep in mind that it reveals intruders to you.

+1
Jul 07 '15 at 2:16
source share

I used this PHP hack trick right after I linked to the database, but before the script is displayed from my _GET request.:

 if(!empty($_POST['contains_script'])) { echo "<script>document.location='template.php';</script>"; }

It was the cheapest solution for me.

0
Feb 07 '13 at 23:33
source share


More articles:


All Articles