Geek Answers Handbook

Is it possible to sanitize Javascript code?

I want custom Javascript to contribute to areas of my website.

  • Is it completely insane?
  • Are there any sanitizer scripts for Javascript or good regex patterns for scanning alerts, iframes, deleted scripts and other malicious Javascript?
  • Should this process be resolved manually (by a person checking Javascript)?
  • Would it be more prudent to allow users to use a framework (like jQuery) instead of giving them access to real Javascript? Thus, it would be easier to control.

thanks

+7
javascript xss
source share
8 answers

1. Is it crazy?

Do not think so, but close by. We'll see.

2. Are there any sanitizer scripts for Javascript or good regex patterns for scanning warnings, iframes, deleted scripts and other malicious Javascript?

Yes, at least there is Google Caja and ADSafe for code disinfection, allowing it to isolate> . I do not know to what extent they are trustworthy.

3. If this process will be resolved manually (by the person checking Javascript)?

It is possible that the sandbox will be unsuccessful, so this will be a reasonable decision, depending on the risk and compromise with the attack of malicious (or faulty) code.

4. Would it be more prudent to allow users to use a framework (for example, jQuery) rather than provide them with access to actual Javascript? Thus, it would be easier to control.

JQuery is just Javascript, so if you are trying to protect against attacks, this will not help.

If it is imperative to prevent such attacks, you can implement a custom language, parse it in the backend, and create managed, secure javascript; or you might consider another strategy, such as providing an API and accessing it from a third-party component of your application.

+4
source share

I think the correct answer is: 1.

Once you enable Javascript, you open yourself and your users to all kinds of problems. There is no perfect way to clear Javascript, and people like the Troll Army will take it as their personal mission to confuse you.

+6
source share

Check out Google Caja :

Caja allows websites to securely embed DHTML web applications from third parties and provides rich interaction between the implementation page and embedded applications. It uses an object security model to provide a wide range of flexible security policies so that the containing page can effectively control the use of embedded application user data and allow gadgets to prevent interference between gadget user interface elements.

+3
source share

Instead of checking out evil things like a script, I would go for a whitelist of several commands that you expect to use. Then include the person to authorize and add new acceptable teams to the white list.

+1
source share

Think about all the things YOU can do with javascript. Then think about what you would do if you could do it on the elses website. This is what people will do only because they can, or find out if they can. I do not think it's a good idea.

+1
source share

It might be safer to develop / implement your own scripting language with restrictions, which can be very similar to JavaScript, but which is under the control of your own interpreter.

+1
source share
  • Maybe. The scale of doing bad things will be much larger than when you simply enable HTML, but try to avoid using JavaScript.
  • I dont know.
  • Well, two things: you really want to spend your time on this, and if you do, you better make sure that they see the javascript code , not the real live JavaScript!
  • why not influence it if you have someone who approves the posts and this person works with jQuery more than regular JavaScript.
0
source share

Accept it in another domain. A security policy of the same origin in browsers will prevent JS users from attacking your site.

It is not enough to place it on another subdomain, since subdomains can set cookies in a higher level domain, and this can be used to attack session fixation.

0
source share

More articles:


All Articles