March 1st, 2016


eBay illustrates why allowing JavaScript is *always* a bad idea

[For the programmers]

Here's a delicious little security alert about a vulnerability in eBay, which potentially allows malicious vendors to steal your eBay credentials and such. I recommend reading down to the details -- the JSF**k hack itself is kind of brilliant.

The moral of the story is that any time you see the phrase "code validation" in the context of JavaScript you should worry. Trying to make sure that code isn't going to do anything malicious is almost arbitrarily difficult. You should either allow JavaScript -- in which case you better make sure you have a way to sandbox it and you understand all the possible attacks -- or forbid it outright. Unless you understand the problem *very* deeply, I recommend the latter.

(This is why Querki only allows a subset of HTML and CSS. A large subset, but we intentionally disallow any approach I can find that might allow JavaScript in. In some ways this makes me sad -- it limits the flexibility of the system -- but security is the higher priority...)