I've read that images that come from the user should be sanitized. In order to understand how to prevent an exploit, I need to understand how the danger is manifested. Would the browser allow code to execute in an img element if it's loaded with code instead of an image? Or is there some other scenario to protect against? Thanks.
Yes, code inside an image will be executed by the browser:
http://lcamtuf.coredump.cx/squirrel/
If we view the source of this file, we see that there is valid html embedded in the valid binary code of the image. The browser will see this and say "Hey! I know what to do with that!" and just render it. It's not hard to imagine putting js inside <script> tags inside an image that will do all sorts of nasty things to your users.
Related
I am new to coding and trying to make a chrome app which basically displays a bunch of fake error messages. I called to the image with a button, but the image is not showing up. Could someone please help and tell me what I am doing wrong?? Here is the code;
I was having some trouble with the putting the code in, so...
http://pastebin.com/iTtmLVE5
There's nothing wrong with ur code, but with its implementation. First open console (F12) and check if js file has been loaded properly. Also You should really consider where to put ur external javascript files. Usually they are placed in html head tag or just before closing body tag .
The difference between both of them is that, if u place js file in header, its loading priority is high, so it loads before DOM (Document Object Model, so just a HTML structure) and when u place it before body closing tags, DOM will load first, so user can see inetrface faster (Since js is loading after browser renders it).
After copy & paste of ur code and making a little cleaning it works. What i've done was deleting all unneccessary HTML code, changing js file name to something more expressive (in my case script.js) and everything worked well.
I have a JavaScript variable that holds an image tag surrounded by an anchor tag. Pretty normal stuff.
myvar="<a href='foo'><img src='bar'></a>";
What happens in Firefox, is that even though I'm not choosing to document.write the contents of that myvar variable, I nevertheless see that the image referenced by the IMG tag does actually get loaded. You'd never know it's happening without having a HTTP proxy tool running. I see in Fiddler that image being loaded. I don't see the image in the page of course, because I didn't choose to document.write the tag into the page.
Is Firefox trying to be too clever and not-so-intelligently parsing through the HTML page, even through the embedded JavaScript in the page, and seeing an IMG tag and pre-loading it? It's the only explanation I have.
I'd have tried breaking up the img tag if I could recreate it in a simple test page, but I can't. If anyone here tells me yes Firefox 4+ definitely does that, then I'll change it to something like
myvar="<"+"a href='foo'><i"+"mg src='bar'></"+"a>";.
It'll be sad to have to do that (or one of the many other alternatives) but it'll work.
Is the JavaScript loaded from an external .js file or inlined in a script tag ? If inlined, you should make sure that it is not parsed as HTML content, instead declaring it as CDATA:
<script type="text/javascript">//<![CDATA[
// JS Stuff
//]]></script>
I see that Javascript code is normally in heading part of HTML code.
<head>
<script type="text/javascript" language="javascript" src="core.js"></script>
...
</head>
Is it OK to put the Javascript code in a body part of HTML code? I tested it, but it seems to work.
<body>
<script type="text/javascript" language="javascript" src="core.js"></script>
...
</body>
If so, why the examples of Javascript books put the javascript code in heading part?
If not, what's the difference between putting the javascript code in body/heading part?
Not only is it OK, it's actually better, since it lets the content come first.
If your viewers have a slow (eg, mobile) connection, it's better to send the actual content first, so that they can read it while the browser downloads the Javascript.
All the people saying it is better only applies if you are talking about at the bottom of the page (and that is an up for debate thing) from a code quality point of view, it is NOT ok to sprinkle script tags through your html. All references to javascript should be in a single place on the page, either the head (where they should be), or the very bottom (as a perf optimization)
Edit:
Basically, a web page is made up of 3 pieces; style (css), structure (html), and behavior (javascript). These pieces are all very distinct, so it makes sense to keep them as separate as possible. That way if you need to change some javascript, it is all in one place. If it is sprinkled through the file, it becomes much more difficult to find the code you are looking for, and that code basically becomes noise when you are just looking at structure.
It is the same arguments as why not sprinkle db access code all over your page. It has nothing to do with technical reasons, purely an architectural/design decision. Code that does different things should be kept separate for readability, maintainability, and by extension, refactorability (not sure if that last one is actually a word...)
You can do it, and people often do.
For example, people like to put their script tags just before the closing </body> to make web pages render quicker.
Also, if you do a script block after an element is created, you don't need to wait for DOM ready.
Be warned though, don't add, or remove an element from an unclosed ancestor in the markup tree (not including the script block's immediate parent element), or you will get the dreaded Operation Aborted error in IE.
Just something to add on:
I have preference of putting Javascript file right before </body>. My reasons being that:
Content can load and be shown first. If you load huge Javascript files first, which most are meaningless until the page is loaded, the user won't be able to see anything until the JS files are loaded.
Most Javascript code require to work with the UI can only run after the UI has been loaded. Placing the codes at the end of the html file reduces the need to use the onload event handler.
It is very bad habit to place Javascript snippets all over the HTML file. Placing all at the back of the HTML file allows you to manage your Javascript more efficiently.
It is legal according to the spec.
Most examples use them in the header as the headers come first and the browser will be able to parse the reference and download the JS files faster.
Additionally, these are links and are not part of the display, so traditionally, put in the header.
It is perfectly legal but there seem to be some differing opinions about it. Those who say to put all the javascript references in the head argue that the script is downloaded before the rest of the page become visible and dependent on it. So your user will not see an object on screen, attempt to interact with it and get an error because the javascript code is not yet loaded.
On the other hand, the argument goes that it takes longer to load all the script before the user sees the page and that can have a negative impact on perceived speed of your site.
JavaScripts inside body will be executed immediately while the page loads into the browser
Placing javascript at the end of the body will defer javascript load (ie: the page will render faster), but remember that any javascript function used for an event should be loaded before the event declaration, it is mainly because users may be able to fire an event before the page is completely loaded (so before the function is loaded)!
I used to put it in the head, then I've heard that it takes longer for the page to load so I started placing the scripts at the very bottom. However, I found out the most 'clean' way to do it is to place it in the head BUT you place the script inside a document.ready function. This way you have the best of both worlds. It is cleaner because it is in the head and it is not loaded before the content has been loaded, so there aren't any problems performance wise either.
With jQuery for instance, you can do it like this:
$(document).ready(function() {
alert('test');
});
The alert will only popup when the page has been fully loaded, even though the script is in the head.
So I've got an XHTML page with a script - not inline
> <script type="text/javascript"
> src="../global/js/scripts.js"></script>
and an embedded (I tried embed and object, same behavior) SVG document with a onload="CheckIfLoaded(evt)" attribute.
The problem is firefox doesn't call the CheckIfLoaded() function in scripts.js. Firebug gives me "CheckIfLoaded() is not defined" with no reference to any line numbers. I can't find any information regarding the scope of javascript functions with respect to embedded content. Curiously, it works fine in IE.
I could of course add a reference to the script into the SVG file as well but I believe that will result in the client downloading the scripts file twice and in addition I have 1000+ svg files and I'd really rather not add one line to all of them, although I suppose I could write a batch file or whatever if I have to.
Any one know more about this?
Do you have the onload on the svg element or on the object/embed tag?
Sounds like you want to call functions in the referencing ("parent") document, see examples here.
Are you sure that the script is getting loaded? Are there errors in the error console? If you put an alert() in the script, do you see it? (Before or after an alert() that you put in the onload handler?)
I have partial control of a web page where by I can enter snippets of code at various places, but I cannot remove any preexisting code.
There is a script reference midway through the page
<script src="/unwanted.js" type="text/javascript"></script>
but I do not want the script to load. I cannot access the unwanted.js file. Is there anyway I can use javascript executing above this refernce to cause the unwanted.js file not to load?
Edit: To answer the comments asking what and why:
I'm setting up a Stack Exchange site and the WMD* js file loads halfway down the page. SE will allow you to insert HTML in various parts of the page - so you can have your custom header and footer etc. I want to override the standard WMD code with my own version of it.
I can get around the problem by just loading javascript after the original WMD script loads and replacing the functions with my own - but it would be nice not to have such a large chunk of JS load needlessly.
*WMD = the mark down editor used here at SO, and on the SE sites.
In short, you can't. Even if there is a hack, it would heavily depend on the way browsers parse the HTML and load the scripts and hence wouldn't be compatible with all browsers.
Please tell us exactly what you can and cannot do, and (preferably; this sounds fascinating) why.
If you can, try inserting <!-- before the script include and --> afterwards to comment it out.
Alternatively, look through the script file and see if there's any way that you could break it or nullify its effects. (this would depend entirely on the script itself; if you want more specific advice, please post more details, or preferably, the script itself.
Could you start an HTML comment above it and end below it in another block?
What does the contents of unwanted.js look like?
You can remove a script from the DOM after it is called by using something simple such as:
s = document.getElementById ("my_script");
s.parentNode.removeChild(s);
This will stop all functions of the script but will not take it out of user's cache. However like you wanted it can't be used.
Basically you can't unless you have access to the page content before you render it.
If you can manipulate the HTML before you send it off to the browser, you can write a regular expression that will match the desired piece of code, and remove it.