http://www.perlmonks.org?node_id=242931

PerlMonks and JavaScript

There are some inherent security issues involved when browsing with JavaScript turned on. This document attempts to outline where those dangers lie on PerlMonks.

PerlMonks does not use JavaScript. All markup generated by the site engine is either HTML or CSS.

Users create the content for the site. User entered HTML is checked against a list of allowed tags and attributes to attempt to filter out scripts.

However, users may put anything in their home nodes. Many users have JavaScript in their home nodes. Since anything on the page can react to 'onClick' or 'onMouseOver' events, even things that look benign might activate some scripted action.

Some users who have JavaScript on their home nodes use it to issue warnings to passers-by that JavaScript can be dangerous. Sometimes a message will be sent to the Chatterbox that appears to come from the user activating the script. These uses are fairly harmless.

Other uses are not so harmless. JavaScript code may have access to your browser's cookies. It will most likely have access to your PerlMonks cookie which contains your username and an encrypted form of your password. A script could grab this information and send it as a private message to the user whose home node you are viewing. The person would not be able to log into your account since the password they receive is encrypted but they would be able to use the cookie as-is to impersonate you.

In your User Settings page, you can check the option labeled 'Disable some JavaScript on homenodes', but this will provide only partial protection. <script> tags will be commented out but other references to JavaScript, such as event-handling attributes on other tags, will not be affected.

To be perfectly safe, you can go to your browser's setup pages and disable JavaScript. Of course, this will apply to all sites you visit, which may not be desirable. Many sites will not work unless JavaScript is enabled.

Some browsers give you finer control over what JavaScript code can do. If your browser allows this, turn off options that allow access to cookies. You may want to disable other options like manipulating windows.

If you cannot turn off JavaScript, you can still achieve some measure of safety by browsing home nodes while not logged in. Your PerlMonks cookie will not be set and Anonymous Monk cannot send chatterbox messages.


Back to the PerlMonks FAQ