Justin du Coeur (jducoeur) wrote,
Justin du Coeur

eBay illustrates why allowing JavaScript is *always* a bad idea

[For the programmers]

Here's a delicious little security alert about a vulnerability in eBay, which potentially allows malicious vendors to steal your eBay credentials and such. I recommend reading down to the details -- the JSF**k hack itself is kind of brilliant.

The moral of the story is that any time you see the phrase "code validation" in the context of JavaScript you should worry. Trying to make sure that code isn't going to do anything malicious is almost arbitrarily difficult. You should either allow JavaScript -- in which case you better make sure you have a way to sandbox it and you understand all the possible attacks -- or forbid it outright. Unless you understand the problem *very* deeply, I recommend the latter.

(This is why Querki only allows a subset of HTML and CSS. A large subset, but we intentionally disallow any approach I can find that might allow JavaScript in. In some ways this makes me sad -- it limits the flexibility of the system -- but security is the higher priority...)
Tags: programming, querki

  • How I Spent My Birthday

    (Warning: diary ramble ahead.) Intercon was scheduled a couple of weeks earlier than usual this year -- our experimental hotel last year wasn't…

  • Hamilton Sing-Along

    Almost done with a *very* long weekend at Arisia. Generally been a great time -- worked hard, got to spend lots of time with friends, and have had a…

  • Musical Comedy

    The annoying cough I've been dealing with for a week finally turned into a full-on, OMFG, now-I-see-why-everyone's-so-draggy Monster Headcold…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded