StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<blockquote> <p>1. Is this completely insane?</p> </blockquote> <p>Don't think so, but near. Let's see.</p> <blockquote> <p>2. Are there any Javascript sanitizer scripts or good regex patterns out there to scan for alerts, iframes, remote script includes and other malicious Javascript?</p> </blockquote> <p>Yeah, at least there are <a href="http://code.google.com/p/google-caja/" rel="nofollow noreferrer">Google Caja</a> and <a href="http://adsafe.org/" rel="nofollow noreferrer">ADSafe</a> to sanitize the code, allowing it to be <strong>sandboxed</strong>. I don't know up to what degree of trustworthiest they provide, though.</p> <blockquote> <p>3. Should this process be manually authorized (by a human checking the Javascript)?</p> </blockquote> <p>It may be possible that sandbox fails, so it would be a sensible solution, depending on the risk and the trade-off of being attacked by malicious (or faulty) code.</p> <blockquote> <p>4. Would it be more sensible to allow users to only use a framework (like jQuery) rather than giving them access to actual Javascript? This way it might be easier to monitor.</p> </blockquote> <p>JQuery is just plain Javascript, so if you're trying to protect from attacks, it won't help at all.</p> <p>If it is crucial to prevent these kind of attacks, you can implement a custom language, parse it in the backend and produce the controlled, safe javascript; or you may consider another strategy, like providing an API and accessing it from a third-party component of your app.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload