Justin du Coeur (jducoeur) wrote,
Justin du Coeur
jducoeur

eBay illustrates why allowing JavaScript is *always* a bad idea

[For the programmers]

Here's a delicious little security alert about a vulnerability in eBay, which potentially allows malicious vendors to steal your eBay credentials and such. I recommend reading down to the details -- the JSF**k hack itself is kind of brilliant.

The moral of the story is that any time you see the phrase "code validation" in the context of JavaScript you should worry. Trying to make sure that code isn't going to do anything malicious is almost arbitrarily difficult. You should either allow JavaScript -- in which case you better make sure you have a way to sandbox it and you understand all the possible attacks -- or forbid it outright. Unless you understand the problem *very* deeply, I recommend the latter.

(This is why Querki only allows a subset of HTML and CSS. A large subset, but we intentionally disallow any approach I can find that might allow JavaScript in. In some ways this makes me sad -- it limits the flexibility of the system -- but security is the higher priority...)
Tags: programming, querki
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments