Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

Turn JavaScript off on HomeNodes

by vroom (His Eminence)
on Sep 03, 2001 at 00:30 UTC ( #109776=monkdiscuss: print w/replies, xml ) Need Help??

Now you should be able to go to your user settings and strip JavaScript out of user homenodes before they are sent your way. JavaScript should get stripped from homenodes for Anonymous Monk by default.

pmdev-ites take a look at the user display page and let me know if you can think of a way to make the substitution more robust.

vroom | Tim Vroom |

Replies are listed 'Best First'.
(crazyinsomniac) Re: Turn JavaScript off on HomeNodes
by crazyinsomniac (Prior) on Sep 03, 2001 at 10:17 UTC
    That will not adequately strip javascript.

    Slashdot|MS Security: On A Path As Clear As It Is Reliable pointed me to Expert hacks Hotmail in 1 line of code which in turn pointed me here, which reveals that STYLE tags in netscape will execute the stuff enclosed in style tags as javascript, if the TYPE attribute of the style tag is "application/x-javascript".

    Your code: 56: $str=~s/<script[^>]*>.*?<\/script[^>]*>//igs if $$USER{jsoff};

    My addition (you're welcome to improve):

    #!/usr/bin/perl -w use strict; my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis +h' TYPE="application/x-javascript">|; printf "%s\n", $string; $string =~ s<STYLE\s([^>]*)> { my $trt = $1; # $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs; $trt =~ s!type=\S+?[ '"]!TYPE="text/css"!igs; qq(<STYLE $trt>) }eigsx; printf "%s\n", $string;
    Also evil are object, applet and embed tags (i'm sure there are others).

    update: a slightly smarter version

    #!/usr/bin/perl -w use strict; my $string = q|<STYLE TYPE="application/x-javascript" Language='Englis +h' TYPE="application/x-javascript">|; printf "%s\n", $string; $string =~ s<STYLE\s([^>]*>) { my $trt = $1; # $trt =~ s!type=\S+?(\s|"|')!TYPE="text/css"!igs; $trt =~ s!type=\S+?[ '">]!TYPE="text/css"!igs; $trt .= '>' if substr($trt,-1,1) ne '>'; qq(<STYLE $trt) }eigsx; printf "%s\n", $string;
    update: OeufMayo says in the cb, what about: <a href="#" onClick="alert('evil javascript here');">

    Well I thought htmlScreen would take care of it, but you do override the filter

    $str.=htmlcode('parselinks','doctext,override'); ... in parselinks ... $text=htmlScreen($text,$APPROVED) unless $overridefilter eq "override" +;

    Disclaimer: Don't blame. It came from inside the void

    perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"

      A few well-chosen RE substitutions cannot be safe. But the safe approach would be a major change to the overall parsing logic of the site, and I am loathe to tackle that without a fair block of time and a safe development environment to play around in.
      Also beware of onMouseOver, onMouseMove, onMouseOut, and onError. They can start a script with out the user making any obvious interaction. Realty any /\son.+/ in a tag should get killed.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://109776]
Approved by root
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (4)
As of 2022-09-27 21:22 GMT
Find Nodes?
    Voting Booth?
    I prefer my indexes to start at:

    Results (124 votes). Check out past polls.