0

I have designed a website which has many JavaScript blocks:

<script type='text/javascript'></script>

Users can post to my page and a malicious user could post a script block as a post. What I want is for the script block in user's posts to be treated as text rather than as code.

I know I can validate the input and filter out the <script> blocks, but for the satiation of my curiosity, is there a way to block specific <script> tags from running after the page is loaded?

Sean Vieira
  • 155,703
  • 32
  • 311
  • 293
funtime
  • 652
  • 1
  • 5
  • 20
  • Fairly similar issue and answers here: http://stackoverflow.com/questions/12488339/html-javascript-prevent-script-execution-from-child-nodes-of-a-dom-tree/12489245#12489245 – jfriend00 Sep 20 '12 at 02:34
  • 1
    Wouldn't replacing all `<` and `>` in their post with `<` and `>` do the trick? Or if you want them to be able to post other html elements just do the replace on the script tags. That way what they typed will be displayed as is rather than treated as script. – nnnnnn Sep 20 '12 at 03:40

1 Answers1

2

There's no surefire way to control JS on the client. Even if your logic prevents certain blocks of code from executing, there's nothing stopping a user from modifying the code and running it in the Javascript console.

As a general rule, everything happening on the browser end is in control of the user and shouldn't be trusted; you should probably rethink your validation.

aednichols
  • 2,292
  • 2
  • 19
  • 28
  • actually... iam least bothered about what user "can change it to"... its enough for me if it works fine for a normal user when he opens the site the first time...i.e, the script tag ,if its blocked then it works fine for normal user unless you change it...how can i control this blocking ?? – funtime Sep 20 '12 at 04:19
  • Why not just use standard if-then logic that doesn't run a block of code if e.g. a flag variable you control is set to false? Or am I misunderstanding your question? – aednichols Sep 23 '12 at 00:51
  • @aednicholas i didnt get you...Actually user can make a post which may have a script block ... i need to be able to block only that script block from running – funtime Sep 23 '12 at 04:20