I'm not talking javascript hara-kiri here. I've got
a database of web pages or snippets I've created
and I'd like to display them in a table. So on my
server (in PHP) I take all the files, and plunk the
text for each between <TD> tags and return that
page, everyone's happy.
Now some joker (me) comes along and puts the single line
<SCRIPT>alert(' Hi mom')</SCRIPT>Dad
as the the entry for one file. Sure enough, when
the client gets the page s/he also gets an alert.
So what I'd like to do is to turn off any "immediate
scripting" that happens due to <SCRIPT> tags
within the <TABLE> element (or even the whole
document).
But wait, it gets worse. Plunk the following in between
TD tags (on my IE 6 or Opera 7.23 anyway) and I still
get the alert:
<html><head><ti tle>hi mom alert test</title></head>
<body onLoad='alert(" Hi Mom")'>Dad</body></html>
So I'm looking for something that will Just say, "No"
to Javascript "happening" between certain TD tags.
You know in IE when you click on a .HTM or .HTML
file you get a minimalist preview of it on the left? That's
what I want these containing TDs to be.
Thanks, Csaba Gabor
PS. There's a (post TD) part two to this if we get past
this part one. 13  1918 
Csaba Gabor wrote: I'm not talking javascript hara-kiri here. I've got
a database of web pages or snippets I've created
and I'd like to display them in a table. So on my
server (in PHP) I take all the files, and plunk the
text for each between <TD> tags and return that
page, everyone's happy.
Now some joker (me) comes along and puts the single line
<SCRIPT>alert(' Hi mom')</SCRIPT>Dad
as the the entry for one file. Sure enough, when
the client gets the page s/he also gets an alert.
So what I'd like to do is to turn off any "immediate
scripting" that happens due to <SCRIPT> tags
within the <TABLE> element (or even the whole
document).
But wait, it gets worse. Plunk the following in between
TD tags (on my IE 6 or Opera 7.23 anyway) and I still
get the alert:
<html><head><ti tle>hi mom alert test</title></head>
<body onLoad='alert(" Hi Mom")'>Dad</body></html>
So I'm looking for something that will Just say, "No"
to Javascript "happening" between certain TD tags.
You know in IE when you click on a .HTM or .HTML
file you get a minimalist preview of it on the left? That's
what I want these containing TDs to be.
Thanks, Csaba Gabor
PS. There's a (post TD) part two to this if we get past
this part one.
You cannot turn off Javascript for the page, but you can filter the
output on the server. The PHP symantecs is out of the scope of this
group, but what it comes down to is this:
When your PHP code outputs it's data fields, do the following:
1. Replace '<' characters with <
2. Replace '>' characters with >
This will cause the data to show up as text, so the script block will
show up exactly the way it is typed, and not execute in the browser.
Brian
Klaus Johannes Rusch wrote: Csaba Gabor wrote: So I'm looking for something that will Just say, "No"
to Javascript "happening" between certain TD tags.
This type of attack is knowns as cross-site scripting.
It wouldn't only apply to scripting. What happens when someone enters:-
<iframe src="#"></iframe>
? (that potentially gets quite recursive.)
You will need to strip or escape all characters which have special
meaning when generating HTML, see
http://www.cert.org/tech_tips/malici...itigation.html for
details.
Yes, escaping anything that has meaning in HTML, either as the output
page is built or as the data goes into the database (trading an increase
in required storage space for only having to do the job once for each
item).
Richard.
Csaba Gabor wrote: I'm not talking javascript hara-kiri here. I've got
a database of web pages or snippets I've created
and I'd like to display them in a table. So on my
server (in PHP) I take all the files, and plunk the
text for each between <TD> tags and return that
page, everyone's happy.
Now some joker (me) comes along and puts the single line
<SCRIPT>alert(' Hi mom')</SCRIPT>Dad
as the the entry for one file. Sure enough, when
the client gets the page s/he also gets an alert.
So what I'd like to do is to turn off any "immediate
scripting" that happens due to <SCRIPT> tags
within the <TABLE> element (or even the whole
document).
But wait, it gets worse. Plunk the following in between
TD tags (on my IE 6 or Opera 7.23 anyway) and I still
get the alert:
<html><head><ti tle>hi mom alert test</title></head>
<body onLoad='alert(" Hi Mom")'>Dad</body></html>
So I'm looking for something that will Just say, "No"
to Javascript "happening" between certain TD tags.
You know in IE when you click on a .HTM or .HTML
file you get a minimalist preview of it on the left? That's
what I want these containing TDs to be.
Thanks, Csaba Gabor
PS. There's a (post TD) part two to this if we get past
this part one.
Perhaps htmlentities() in PHP might be of some help.
See http://ca2.php.net/htmlentities
or http://www.php.net/htmlentities
JRS: In article <40******@andro meda.datanet.hu >, seen in
news:comp.lang. javascript, Csaba Gabor <ne**@CsabaGabo r.com> posted at
Mon, 19 Apr 2004 14:19:55 : I'm not talking javascript hara-kiri here. I've got
a database of web pages or snippets I've created
and I'd like to display them in a table. So on my
server (in PHP) I take all the files, and plunk the
text for each between <TD> tags and return that
page, everyone's happy.
Now some joker (me) comes along and puts the single line
<SCRIPT>alert( 'Hi mom')</SCRIPT>Dad
You have problems of an altogether different nature, too.
You are, legally, the publisher of whatever appears on your site; and
you may be held responsible if illegal material appears on it.
After the beginning of next month, at least, you will need to comply
with EU law or risk the consequences.
--
© John Stockton, Surrey, UK. ?@merlyn.demon. co.uk Turnpike v4.00 IE 4 ©
<URL:http://jibbering.com/faq/> Jim Ley's FAQ for news:comp.lang. javascript
<URL:http://www.merlyn.demo n.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demo n.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.
Dr John Stockton wrote: JRS: In article <40******@andro meda.datanet.hu >, seen in
news:comp.lang. javascript, Csaba Gabor <ne**@CsabaGabo r.com> posted at
Mon, 19 Apr 2004 14:19:55 :
I'm not talking javascript hara-kiri here. I've got
a database of web pages or snippets I've created
and I'd like to display them in a table. So on my
server (in PHP) I take all the files, and plunk the
text for each between <TD> tags and return that
page, everyone's happy.
Now some joker (me) comes along and puts the single line
<SCRIPT>alert ('Hi mom')</SCRIPT>Dad
You have problems of an altogether different nature, too.
You are, legally, the publisher of whatever appears on your site; and
you may be held responsible if illegal material appears on it.
After the beginning of next month, at least, you will need to comply
with EU law or risk the consequences.
What law are you speaking of?
In article <ma************ **@merlyn.demon .co.uk>, sp**@merlyn.dem on.co.uk enlightened us with...
You have problems of an altogether different nature, too.
You are, legally, the publisher of whatever appears on your site; and
you may be held responsible if illegal material appears on it.
After the beginning of next month, at least, you will need to comply
with EU law or risk the consequences.
Would sites in other countries also need to comply with EU law?
How could they possibly hope to ensure such compliance?
--
--
~kaeli~
Press any key to continue or any other key to quit http://www.ipwebdesign.net/wildAtHeart http://www.ipwebdesign.net/kaelisSpace
JRS: In article <MP************ ************@nn tp.lucent.com>, seen in
news:comp.lang. javascript, kaeli <ti******@NOSPA M.comcast.net> posted at
Tue, 20 Apr 2004 10:27:42 : In article <ma************ **@merlyn.demon .co.uk>,
sp**@merlyn.de mon.co.uk enlightened us with...
You have problems of an altogether different nature, too.
You are, legally, the publisher of whatever appears on your site; and
you may be held responsible if illegal material appears on it.
After the beginning of next month, at least, you will need to comply
with EU law or risk the consequences.
Would sites in other countries also need to comply with EU law?
How could they possibly hope to ensure such compliance?
The USA appears to believe that it has extraterritoria l legal rights;
why should the EU not have otherwise, perhaps even by treaty?
I believe that Web sites based in the USA or under the control of an
American are requited to comply with American law, and so on.
Let us suppose that you, believed to be an American in America, host
such a site; and that it is used by persons unknown for distributing
messages in support of OBL, YA, and other undesirables, or encouraging
and assisting criminal activity within the USA. ISTM likely that the
FBI, the DHS, or some other Federal agency will become Manifestly
Displeased.
--
© John Stockton, Surrey, UK. ?@merlyn.demon. co.uk Turnpike v4.00 MIME. ©
Web <URL:http://www.merlyn.demo n.co.uk/> - FAQish topics, acronyms, & links.
Proper <= 4-line sig. separator as above, a line exactly "-- " (SonOfRFC1036)
Do not Mail News to me. Before a reply, quote with ">" or "> " (SonOfRFC1036)
That's why I want to be able to encapsulate what IE is already able
to do. OK, I've come to the conclusion that I can't really do what I had
wanted very safely. I coded up some regular expressions in PHP
to 1) remove SCRIPT tags, and 2) any onXXX attributes (excluding
onClick) (there were too many that might fire to be selective, such as
onReadyStateCha nge, onResize, onMouseover, blah blah blah),
and 3) src attributes, except for images.
Besides being dog slow, there are still plenty of susceptibilitie s such
as from CSS attributes set locally applying globally (e.g. if one of
the pages to be inserted with the TD element has <BODY bgColor='pink'>
my page will no longer be pretty in pink (groan)).
Furthermore, one of the contained "pages" (they're snippets, after all)
could start off </TD></TR></TABLE> and really wreak layout havoc.
The point is, I would expect to no longer get a valid page anymore.
So, I'm back to my original version of just displaying the underlying
page's text with overflow control.
Csaba Gabor
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: strutsng |
last post by:
<input type="file"> only allows the user to browse for files.
How about "browse for folder" dialog? Can html/javascript do that? I
couldn't find any syntax for that. If not, please advise what are the
other approaches.
please advise. thanks!!
|
by: chfran |
last post by:
I want to turn off the "text menu" at the top of my application but
keep the graphical menu (SAVE (Disk), Sort (A-Z, Z-A).
Any ideas on how to do that either programatically or through a
standard Access function?
Thanks!
|
by: CS Wong |
last post by:
Hi,
I have a page form where form elements are created dynamically using
Javascript instead of programatically at the code-behind level. I have
problems accessing the dynamically-created elements and would like to seek a
solution for this.
I had looked through several articles for accessing programatically-created
dynamic elements such as:
1)
|
by: Nick Goloborodko |
last post by:
Hi,
What is the best way to detect JavaScript and Cookie support of the end user
browser?
TIA
--
Kind regards,
Nick Goloborodko
|
by: David Thielen |
last post by:
Hi;
When a user clicks a radio button, what I would like to do is that if
javascript is enabled on their browser, it calls a javascript function and
does not do a postback. If javascript is disabled, then it does do a postback.
Is there a way to do this?
--
thanks - dave
| | |
by: craigkenisston |
last post by:
I want to be able to turn on and off the custom errors mode, in order I
can do something like:
http://www.mysite.com/?debug=true
And then read the parameter, turn "off" the custom errors so I can see
the detailed messages, only when I add that parameter to the query
string.
Is it possible?
|
by: vbDavidC |
last post by:
I am wondering if there is a way to disable the MS wireless (not the
wireless card) programatically. I would like to be able to turn it off
and on.
I have the need to turn off the wireless because it seems to interfere
with some high speed data acquisition that we are doing.
|
by: kal |
last post by:
Hi there
I am hunting for way to turn off/disable active scripting especially
javascript in my webbrowser control. I don't see any property to turn
off script. I found entry in registry under HKU/software/microsoft/...
which gets modified when we manually change the setting for active
scripting in IE from dword 3 to 0. But that solution is not viable
because programatically registry updation is dependent the user rights
|
by: javamama |
last post by:
Hi,
I programmed a web page where two parallel maps can be explored with moving the cursor on the summer and winter buttons. The active button should turn red but now the right hand buttons turn red instead of the left ones. Where's the problem?
<HTML>
<META HTTP-EQUIV="Refresh" CONTENT=300>
<HEAD><TITLE>Parallel Visual Exploring</TITLE></HEAD>
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
