Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Turn JavaScript off on HomeNodes

by vroom (His Eminence)
on Sep 03, 2001 at 00:30 UTC ( #109776=monkdiscuss: print w/replies, xml ) Need Help??

Now you should be able to go to your user settings and strip JavaScript out of user homenodes before they are sent your way. JavaScript should get stripped from homenodes for Anonymous Monk by default.

pmdev-ites take a look at the user display page and let me know if you can think of a way to make the substitution more robust.

vroom | Tim Vroom |

Replies are listed 'Best First'.
(crazyinsomniac) Re: Turn JavaScript off on HomeNodes
by crazyinsomniac (Prior) on Sep 03, 2001 at 10:17 UTC
    That will not adequately strip javascript.

    Slashdot|MS Security: On A Path As Clear As It Is Reliable pointed me to Expert hacks Hotmail in 1 line of code which in turn pointed me here, which reveals that STYLE tags in netscape will execute the stuff enclosed in style tags as javascript, if the TYPE attribute of the style tag is "application/x-javascript".

    Your code: 56: $str=~s/<script[^>]*>.*?<\/script[^>]*>//igs if $$USER{jsoff};

    My addition (you're welcome to improve):

    #!/usr/bin/perl -w use strict; my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis +h' TYPE="application/x-javascript">|; printf "%s\n", $string; $string =~ s<STYLE\s([^>]*)> { my $trt = $1; # $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs; $trt =~ s!type=\S+?[ '"]!TYPE="text/css"!igs; qq(<STYLE $trt>) }eigsx; printf "%s\n", $string;
    Also evil are object, applet and embed tags (i'm sure there are others).

    update: a slightly smarter version

    #!/usr/bin/perl -w use strict; my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis +h' TYPE="application/x-javascript">|; printf "%s\n", $string; $string =~ s<STYLE\s([^>]*>) { my $trt = $1; # $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs; $trt =~ s!type=\S+?[ '">]!TYPE="text/css"!igs; $trt .= '>' if substr($trt,-1,1) ne '>'; qq(<STYLE $trt) }eigsx; printf "%s\n", $string;
    update: OeufMayo says in the cb, what about: <a href="#" onClick="alert('evil javascript here');">

    Well I thought htmlScreen would take care of it, but you do override the filter

    $str.=htmlcode('parselinks','doctext,override'); ... in parselinks ... $text=htmlScreen($text,$APPROVED) unless $overridefilter eq "override" +;

    Disclaimer: Don't blame. It came from inside the void

    perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"

      A few well-chosen RE substitutions cannot be safe. But the safe approach would be a major change to the overall parsing logic of the site, and I am loathe to tackle that without a fair block of time and a safe development environment to play around in.
      Also beware of onMouseOver, onMouseMove, onMouseOut, and onError. They can start a script with out the user making any obvious interaction. Realty any /\son.+/ in a tag should get killed.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://109776]
Approved by root
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (7)
As of 2023-11-28 19:24 GMT
Find Nodes?
    Voting Booth?

    No recent polls found