Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to sanitize Javascript code?

Tags:

javascript

xss

I want to allow user contributed Javascript in areas of my website.

  1. Is this completely insane?
  2. Are there any Javascript sanitizer scripts or good regex patterns out there to scan for alerts, iframes, remote script includes and other malicious Javascript?
  3. Should this process be manually authorized (by a human checking the Javascript)?
  4. Would it be more sensible to allow users to only use a framework (like jQuery) rather than giving them access to actual Javascript? This way it might be easier to monitor.

Thanks

like image 983
Tom Avatar asked Aug 25 '10 23:08

Tom

People also ask

What is sanitize JavaScript?

The sanitize() method of the Sanitizer interface is used to sanitize a tree of DOM nodes, removing any unwanted elements or attributes. It should be used when the data to be sanitized is already available as DOM nodes. For example when sanitizing a Document instance in a frame.

How do I disinfect HTML content?

Sanitize a string immediatelysetHTML() is used to sanitize a string of HTML and insert it into the Element with an id of target . The script element is disallowed by the default sanitizer so the alert is removed.

What does it mean to sanitize code?

HTML sanitization is the process of examining an HTML document and producing a new HTML document that preserves only whatever tags are designated “safe” and desired. HTML sanitization can be used to protect against cross-site scripting (XSS) attacks by sanitizing any HTML code submitted by a user.

1 Answers

I think the correct answer is 1.

As soon as you allow Javascript, you open yourself and your users to all kinds of issues. There is no perfect way to clean Javascript, and people like the Troll Army will take it as their personal mission to mess you up.

like image 82
Robusto Avatar answered Oct 17 '22 08:10

Robusto
Sign in to Comment

Related questions

How do online text editors work?
Rearranging table in JavaScript
jquery to find all exact td matches
Javascript replace() with case-change
How do I programmatically change a select so that it fires its onchange behavior?
Use onmousedown to get the ID of the element you just mousedowned on?
Access JavaScript variables with Selenium IDE
How can I use jQuery to style /parts/ of all instances of a specific word?
Dynamically Including jQuery using JavaScript if it's not already present
Does anyone know of a spell checker plugin for ckeditor that uses aspell or a similar local service instead of spellchecker.net? [closed]
Check if a file exist in the Server in ASP.NET
Classic ASP server-side JSON library
How to sort an array of objects based on a the length of a nested array in javascript
How can I monitor the rendering time in a browser?
JQuery UI tabs: How do I navigate directly to a tab from another page?
Are google chrome extension "content" scripts sandboxed?
javascript var declaration within loop
Progress Bar Filling - jQuery Implementation
Scrolling to the top of a page in a gwt application
Where are all the simple functions gone in WebGL?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!