It's not spoofing we have to worry about. With JavaScript enabled for us, this site is basically *allowing* the "cross-site scripting" vulnerabilities we see reported to BugTraq when people are permitted to execute JavaScript via, say, Hotmail.

In short, all someone has to do is use JavaScript's cookie code to fetch your PerlMonks cookie and deliver it to the malicious user. You don't even have to click a button. Put the JavaScript in an <img src="javascript:do_evil()"> tag, or any of the other dozens of ways of invoking JavaScript, which will neatly circumvent most regexp means of preventing it. The browser has to assume that all code and content coming from a web site is "sanctioned" and approved by that web site, so anything that comes in and tries to muck with the site's cookies or whatever has to be considered legitimately from that site, which means it'll be permitted.

The bottom line: Allowing anybody to put their own content on your web site (such as message boards or sites like this) is a bad idea unless you severely limit what they're allowed to put up. This includes all scripting languages and quite a lot of HTML tags and attributes. As much as I'd hate to see JavaScript go, it's simply not possible to write a secure "parser" that will remove evil JavaScript and permit what's left.

In reply to RE: On JavaScript, mt2k, and security risks by Fastolfe
in thread On JavaScript, mt2k, and security risks by jcwren

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.