You have the option to turn off JavaScript on homenodes in your user settings. Even better, it works now. ;-)

Use it. Yes, do it. Now.

Well, it *used* to work, when Petruchio used <script> tags. Now that they've been replaced with an onLoad event handler, the problem is back.

Can we just get rid of the 'disable JavaScript on homenodes' option until it works? The placebo effect (i.e. 'the power of suggestion') is psychological. It has no effect on computers. A function must actually be implemented before it can have an effect.
When the checkbox does not do what it says it does, it widens the security hole that JavaScript presents. It leads people to believe they're protected, when they are only sheltered from the most obvious way of carrying out the 'threat.'

Maybe it should say something like...
"Disable <script> tags and comment out their contents on home nodes. This may make you feel good, but will not actually protect you."

...at least until it can actually disable JavaScript.
Yes, I'm aware that it's difficult to filter JavaScript in all of its forms.

Update:Browsers that run the script on Pertruchio's homenode:

• MSIE 5.1.3 (MacOS X)
• Opera 5.03b393 (Mac OS X)
• MSIE 5.50.4807.2300 (Win 2000)
• Netscape 4.08 (Win 2000)
/me notes that the alert box is displayed (minus the cookie's value) even if you're not logged in, so you can test it safely.

s!!password!;y?sordid?binger?;y.paw.mrk.;
print chr 0x5b;print;print chr(0x5b+0x2);
[download]

Please explain to me what JavaScript is still executed from Petruchios page. The onLoad() event is not fired in my browser. What am I missing?

Update: I'm using Mozilla 0.9.9 under Win32 here. (I'll try with Mozilla 0.9.8 under Linux at home later.)

My settings are:

• Enable JavaScript for Navigator but not for Mail and News.
• Allow web pages to do <everything> except open unrequested windows


Update 2:
I found it! I do not allow loading of images from other sites than the host of the page, which is why Petruchios image doesn't load. And thereby why the onLoad() event doesn't get fired off.

Thereby I understand how JavaScript is still a threat on Petruchios home node. (And potentially others too.)



---

Everything went worng, just as foreseen.

Update: Works also with
• Opera 6.0b1 (Linux)
• Opera 6.0b1 (Windows 2000/XP/98)
  
  Anyway it's not about you browser... In other words, i confess - i don't like JavaScript anyway ;-) and IMHO the best solution to prevent such attacks is to completly turn the JavaScript off (or use a browser that doesn't support it)!
  
  Trying to secure servers, making them refuse to accept such input is ok, but it reminds me the way the viruses evoluated - some people were trying to secure the software, while the others tried to walk around that security improvements. And what to say... it happens all the time!
  Besides there is another problem - if something has beed invented and people were told that tit was invented for them, then how to explain your *customer* (or even any of your users) that they can't use it right here - at this site, becouse somebody used it wrong way... Will (s)he understand?! I'm afraid - no :-(
  
  BTW (Off-Topic). A few days ago i've got almost killed by a genius 'WebMASTER' who told his customer "... it won't look god in red... besides there is no red color in the Internet". ROTFL ;-)
  
  Greetz, Tom.

I know it's not exactly Perl, but would it be worth someone putting how to turn off Javascript for Perlmonks on those browsers which support per-site options into a file somewhere? If Petruchio would put it onto his homepage where the exploit is demoed that'd probably be wonderous, we could see it work.

It's only now I have a quiet day at work I'm looking at how, and if, I can do it in Mozilla (Replaced IE as my main browser about three weeks back).

I'm unwilling to turn Javascript off in general though. Perlmonks is a site I use a lot, but I need Javascript to access the sites which are more directly part of my job.

All right... way OT, but here it is. Straight from Mozilla:

user_pref("capability.policy.nojs.sites", "http://perlmonks.org");

Update:

This does not work!

It's documented at mozilla, but it is wrong, wrong, wrong! petruchio's node still shows me my cookie.

... and that conclusion is really sad ;-( (i'm in the the same situation)

Greetz, Tom.

I've been using Mozilla (on Win32) since at least 0.9.4, and aside from it getting quite stable now (at 0.9.9), it allows one to disallow javascript to set and/or read cookies. I believe this addresses the security issue which Petruchio's demo illustrates.

..Jon