go ahead... be a heretic | |
PerlMonks |
(~OT) WARNING: Live Ammo WAS: Re: Am I javascript or not?by belg4mit (Prior) |
on Mar 30, 2002 at 19:48 UTC ( [id://155477]=note: print w/replies, xml ) | Need Help?? |
If you haven't gotten it yet,
there's wild javascript in there (it's all tame though),
read the source Luke. From what I've been saving on my pad.
Script TagFirst off the SCRIPT tag, good you stomped it. Checking for just javascript is bad. There are things other than javascript including:
JavaScript Protocolsmocha: and javascript: allow inline JavaScript for anchors. Mozilla drops support for mocha.Examplemake mine a latte cup o' mudFor those interested, this is actually why I have JavaScript enabled. My personal toolbar is full of this stuff, they are called "bookmarklets". JavaScript entities&{}, a form of inline JavaScript, not commonly used. This is probably NN only and it seems like support has been dropped for this in recent 4.x builds.ExampleEntitiesJavaScript AttributesonClick, onSubmit etc. for any tag which is allowed through. Or for extra safety as a brother has so been so kind as to demonstrate, remove them no matter what.HTML entities for ASCII printable charactersThese should be replaced with the characters they code for, & < and > carefully examined and excluded of course.NOTE: one should not be strict about requiring the ';' as browsers are flaky on this. This should be done as the first step of cleansing.
Examples
Data ProtocolNo example here ;-), see the RFC below and think MIME-type.METASomething that is not itself directly a threat is <meta http-equiv="Content-Script-Type" content="text/javascript">. However removal of it could be prudent. If this META tag is used to set the preferred scripting language for the page, when removed any scripts on the page MAY become invalid (assuming the browser cannot auto-detect the type, this is most likely for installed extensions such as PerlScript and TCL). Further ReadingHere are some related sources that are definitely worth a once-over
--
In Section
Cool Uses for Perl
|
|