A fix for a flaw in most Javascripts.

25 Feb, 2006  IT, Internet, Programming, Security

N.B. This is to fix the Client Side stuff, NOT server side things.

Problem:

Consider this:

<script type=”text/javascript”>

<!–

var text = ‘<script>alert(\’Boo!\’);</script>’;

document.write(text);

–>

See the problem that any input however it is obtained (Eg. Form) isn’t converted into text, but left as html.

Yes, I know that this doesn’t pose a great security risk as the client has to type it in, however that is no excuse!

If my name is <script>alert(’Boo!’);</script> and my javascript says hello and a alert… Well!

So what is the Fix?

Solution:

I have made a function called htmlsafe which is the same as htmlentities($str, ENT_QUOTES); In PHP.

htmlsafe.js (PGP Sig (For Geeks))

htmlsafecompressed.js (PGP Sig (For Geeks))
The script also contains nl2br and br2nl (Just like PHP does).

Leave a Comment

Name:

E-mail:

Website:

Comment:

Recent Comments

  • Josir Gomes: Hi Steve, the meta-package ubuntu-desktop is bloated with huge softwares like OpenOffice, Evolution,...
  • hannah: your that good! ha ha, but seriously.
  • Wiras Adi: Yeah, mathematic operation in text-based CAPTCHA is very easy to break. And I don't think that many sites...
  • Gary: Phew! You saved me lots of hassle :-) The only problem I had was that $_SERVER[’HTTP_AUTHORIZATION ’]...
  • Stephen: To touch on the issue Vinay raised, I had to use the -wholename option on the find command to delete files...

Else wheres