Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Turn JavaScript off on HomeNodes

by vroom (Pope)
on Sep 03, 2001 at 00:30 UTC ( #109776=monkdiscuss: print w/replies, xml ) Need Help??

Now you should be able to go to your user settings and strip JavaScript out of user homenodes before they are sent your way. JavaScript should get stripped from homenodes for Anonymous Monk by default.

pmdev-ites take a look at the user display page and let me know if you can think of a way to make the substitution more robust.

vroom | Tim Vroom | vroom@blockstackers.com

Replies are listed 'Best First'.
(crazyinsomniac) Re: Turn JavaScript off on HomeNodes
by crazyinsomniac (Prior) on Sep 03, 2001 at 10:17 UTC
    That will not adequately strip javascript.

    Slashdot|MS Security: On A Path As Clear As It Is Reliable pointed me to Expert hacks Hotmail in 1 line of code which in turn pointed me here, which reveals that STYLE tags in netscape will execute the stuff enclosed in style tags as javascript, if the TYPE attribute of the style tag is "application/x-javascript".

    Your code: 56: $str=~s/<script[^>]*>.*?<\/script[^>]*>//igs if $$USER{jsoff};

    My addition (you're welcome to improve): 

    #!/usr/bin/perl -w
use strict;

my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis
+h' TYPE="application/x-javascript">|;
printf "%s\n", $string;

$string =~ s¡<STYLE\s([^>]*)>¡
          {
            my $trt = $1;
#            $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs;
            $trt =~ s!type=\S+?[ '"]!TYPE="text/css"!igs;
            qq(<STYLE $trt>)
          }¡eigsx;

printf "%s\n", $string;

    [download]
    Also evil are object, applet and embed tags (i'm sure there are others).

    update: a slightly smarter version

    #!/usr/bin/perl -w
use strict;

my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis
+h' TYPE="application/x-javascript">|;
printf "%s\n", $string;

$string =~ s¡<STYLE\s([^>]*>)¡
          {
            my $trt = $1;
#            $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs;
            $trt =~ s!type=\S+?[ '">]!TYPE="text/css"!igs;
            $trt .= '>' if substr($trt,-1,1) ne '>';
            qq(<STYLE $trt)
          }¡eigsx;

printf "%s\n", $string;

    [download]
    update: OeufMayo says in the cb, what about: <a href="#" onClick="alert('evil javascript here');">

    Well I thought htmlScreen would take care of it, but you do override the filter 

    $str.=htmlcode('parselinks','doctext,override');
... in parselinks ...
$text=htmlScreen($text,$APPROVED) unless $overridefilter eq "override"
+;

    [download]

     
    ___crazyinsomniac_______________________________________
    Disclaimer: Don't blame. It came from inside the void
    perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"

[reply]
[d/l]
[select]
      A few well-chosen RE substitutions cannot be safe. But the safe approach would be a major change to the overall parsing logic of the site, and I am loathe to tackle that without a fair block of time and a safe development environment to play around in.
[reply]
      Also beware of onMouseOver, onMouseMove, onMouseOut, and onError. They can start a script with out the user making any obvious interaction. Realty any /\son.+/ in a tag should get killed.
[reply]

Back to Perl Monks Discussion

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: monkdiscuss [id://109776]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (3)
As of 2021-11-27 08:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found
    Notices?