Justin du Coeur (jducoeur) wrote,
Justin du Coeur

eBay illustrates why allowing JavaScript is *always* a bad idea

[For the programmers]

Here's a delicious little security alert about a vulnerability in eBay, which potentially allows malicious vendors to steal your eBay credentials and such. I recommend reading down to the details -- the JSF**k hack itself is kind of brilliant.

The moral of the story is that any time you see the phrase "code validation" in the context of JavaScript you should worry. Trying to make sure that code isn't going to do anything malicious is almost arbitrarily difficult. You should either allow JavaScript -- in which case you better make sure you have a way to sandbox it and you understand all the possible attacks -- or forbid it outright. Unless you understand the problem *very* deeply, I recommend the latter.

(This is why Querki only allows a subset of HTML and CSS. A large subset, but we intentionally disallow any approach I can find that might allow JavaScript in. In some ways this makes me sad -- it limits the flexibility of the system -- but security is the higher priority...)
Tags: programming, querki

  • RIP Jezebelle

    For real this time. Quiet Jezzie, soft Jezzie -- daddy's little prima donna died tonight. We don't know what happened. We were getting ready for bed…

  • We seem to have reached feline detente

    To call this week "stressful" would be about the greatest understatement I am capable of. Most of that stress I'm not prepared to talk about right…

  • The ongoing bad fur day

    Every cat is different, and each one is a learning experience. One of the main things I had to learn when we got the current kids was how to deal…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded