http://www.perlmonks.org?node_id=109776

Now you should be able to go to your user settings and strip JavaScript out of user homenodes before they are sent your way. JavaScript should get stripped from homenodes for Anonymous Monk by default.

pmdev-ites take a look at the user display page and let me know if you can think of a way to make the substitution more robust.

vroom | Tim Vroom | vroom@blockstackers.com

Replies are listed 'Best First'.
(crazyinsomniac) Re: Turn JavaScript off on HomeNodes
by crazyinsomniac (Prior) on Sep 03, 2001 at 10:17 UTC
    That will not adequately strip javascript.

    Slashdot|MS Security: On A Path As Clear As It Is Reliable pointed me to Expert hacks Hotmail in 1 line of code which in turn pointed me here, which reveals that STYLE tags in netscape will execute the stuff enclosed in style tags as javascript, if the TYPE attribute of the style tag is "application/x-javascript".

    Your code: 56: $str=~s/<script[^>]*>.*?<\/script[^>]*>//igs if $$USER{jsoff};

    My addition (you're welcome to improve):

    #!/usr/bin/perl -w use strict; my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis +h' TYPE="application/x-javascript">|; printf "%s\n", $string; $string =~ s¡<STYLE\s([^>]*)>¡ { my $trt = $1; # $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs; $trt =~ s!type=\S+?[ '"]!TYPE="text/css"!igs; qq(<STYLE $trt>) }¡eigsx; printf "%s\n", $string;
    Also evil are object, applet and embed tags (i'm sure there are others).

    update: a slightly smarter version

    #!/usr/bin/perl -w use strict; my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis +h' TYPE="application/x-javascript">|; printf "%s\n", $string; $string =~ s¡<STYLE\s([^>]*>)¡ { my $trt = $1; # $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs; $trt =~ s!type=\S+?[ '">]!TYPE="text/css"!igs; $trt .= '>' if substr($trt,-1,1) ne '>'; qq(<STYLE $trt) }¡eigsx; printf "%s\n", $string;
    update: OeufMayo says in the cb, what about: <a href="#" onClick="alert('evil javascript here');">

    Well I thought htmlScreen would take care of it, but you do override the filter

    $str.=htmlcode('parselinks','doctext,override'); ... in parselinks ... $text=htmlScreen($text,$APPROVED) unless $overridefilter eq "override" +;

     
    ___crazyinsomniac_______________________________________
    Disclaimer: Don't blame. It came from inside the void

    perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"

      A few well-chosen RE substitutions cannot be safe. But the safe approach would be a major change to the overall parsing logic of the site, and I am loathe to tackle that without a fair block of time and a safe development environment to play around in.
      Also beware of onMouseOver, onMouseMove, onMouseOut, and onError. They can start a script with out the user making any obvious interaction. Realty any /\son.+/ in a tag should get killed.