Javascript injection

Question

I need to solve a problem with javascript injection in a form textarea and fields

script type='text/javascript'
window.location='http:site.com';

/script

or

a href='javascript:...'

or

form action...

or

input name...

but i preserve some html tags for example a, b, ul... is this possible?

See http://stackoverflow.com/questions/1975613/how-can-i-allow-html-in-a-whitelist-with-php (and ignore the accepted answer (which currently as a score of zero) in favour of the one about HTML purifier). — Quentin, Mar 03 '10 at 15:07

score 1 · Answer 1 · answered Mar 03 '10 at 15:06

1

Try using HTML Purifier to specify just what types of HTML you want to allow to protect yourself from such XSS attacks.

answered Mar 03 '10 at 15:06

Matchu

83,922
18
153
160

score -1 · Answer 2 · answered Mar 03 '10 at 15:21

If you're worried about XSS, you need to process the input on the server side to make sure there's no JavaScript in it. Hopefully this Perl example will help (apologies for the regex, it's not my strong suit)

use strict;
my $str = <<HTML;
<body>
        <div>
                sfdasfasdfs
                <script type="text/javascript">
                        window.location.href = "http://badsite.com";
                </script>
                sadfssdfssdf
        </div>
</body>
HTML

$str =~ s/<script.*?>[\s\w\d\W]*<\/script>//g;

print "$str\n";

This won't strip out most of the examples given in the question. Nor, for that matter, would it strip out ` — Quentin, Mar 03 '10 at 18:49

Javascript injection

2 Answers2