Jump to content

javascript security


Recommended Posts

This is not an appropriate task for Javascript. This is a task for your server-side code such as Php or Dot-Net.




If I can elaborate-


The reason is because- like html- javascript can be changed by the user after it's sent out. That and there's more than one way to submit a form without a browser.


The golden rule is that you can never trust anything coming from a user and your server always needs to validate it. Doesn't matter if it's web or a desktop application. Pretty much everything can be changed on the users computer.

Link to comment
Share on other sites

This is said to be for XSS. The book references http://www.cert.org/advisories/CA-2000-02.html


Can we actually inject a <script>? I cannot seem to get it to work using a input text field.

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>xss test</title><script>window.onerror = function(m, u, l){alert('Javascript Error: '+m+'nURL: '+u+'nLine Number: '+l);return true;}</script><script>window.onload = init;function init(){document.getElementById('btn1').onclick = put;var txt = '';document.getElementById('out1').innerHTML = 'length: '+ txt.length;document.getElementById('out2').innerHTML = txt;}function put(){var txt = document.getElementById('in1').value;//alert('input length: '+ txt.length);document.getElementById('out1').innerHTML = 'length: '+ txt.length;document.getElementById('out2').innerHTML = txt;}</script></head><body><p>Input the script <script>alert('hi');</script></p><input type="text" id="in1" placeholder="inject script here"/><input type="button" id="btn1" value="Enter"/><div id="out1"></div><div id="out2"></div></body></html>
Edited by davej
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...