Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <blockquote> <p>Is this by itself dangerous in any way? My point being, can just the simple act of creating a DOM somehow inject anything, or is it just simply processed and the structure is created?</p> </blockquote> <p>Simply creating an element <em>without</em> appending it to the dom will not cause any script to run since it is purely an object at this point (HtmlScriptElement). When it is actually appended to the dom the script element will be evaluated and ran by the browser. With that being said <em>I suppose</em> it is possible that an extremely crafty person could exploit a bug that is present in some framework or browser you might be using to cause an undesired outcome.</p> <p>Consider this example:</p> <pre><code>&lt;p&gt; &lt;input type="button" value="Store 'The Script' In Variable" id="store"/&gt; &lt;input type="button" value="Append 'The Script' To Dom" id="append"/&gt; &lt;/p&gt; &lt;br/&gt; &lt;p&gt; &lt;input type="button" value="Does nothing"/&gt; &lt;/p&gt; &lt;h1&gt;The Script&lt;/h1&gt; &lt;pre id="script"&gt; $(function(){ function clickIt(){ $(this).clone().click(clickIt).appendTo("body"); } $("input[type='button']").val("Now Does Something").click(clickIt); }); &lt;/pre&gt; var theScript; $("#store").click(function() { theScript = document.createElement('script'); var scriptText = document.createTextNode($("#script").text()); theScript.appendChild(scriptText); }); $("#append").click(function() { var head = document.getElementsByTagName('head')[0]; head.appendChild(theScript); }); </code></pre> <p>When you click on <code>store</code> it will create the HtmlScriptElement and store it into a variable. You will notice that nothing is ran even though the object is created. As soon as you click <code>append</code> the script is appended to the dom and immediately evaluated and the buttons do something different.</p> <p><a href="http://jsfiddle.net/markcoleman/TzGWe/1/" rel="nofollow"><strong>Code Example on jsfiddle</strong></a></p> <p><br/></p> <blockquote> <p>Can any functions in javascript/jquery "watch" for elements being created in this manner and act on it BEFORE it's been stripped of bad elements and put on document?</p> </blockquote> <p>jQuery <em>sort</em> of does that for you already as it does some internal script eval</p> <p><br/><em>From <a href="http://api.jquery.com/append/#comment-67912032" rel="nofollow">Karl Swedberg</a> post on <code>.append()</code></em></p> <blockquote> <p>All of jQuery's insertion methods use a domManip function internally to clean/process elements before and after they are inserted into the DOM. One of the things the domManip function does is pull out any script elements about to be inserted and run them through an "evalScript routine" rather than inject them with the rest of the DOM fragment. It inserts the scripts separately, evaluates them, and then removes them from the DOM. ...</p> </blockquote> <p>You could alter the behavior of jQuery to remove all <code>&lt;script/&gt;</code> and sanitize other elements with inline javascript <code>onclick, mouseover, etc</code> when calling <code>append()</code> however that will only affect jQuery as someone could easily use vanilla javascript to append the <code>&lt;script/&gt;</code> element.</p> <p><strong>Dom Mutation Events</strong></p> <p><a href="http://www.w3.org/TR/DOM-Level-2-Events/events.html#Events-MutationEvent" rel="nofollow">Dom Level 2</a> does defined some Dom mutation events to capture elements that are added to the dom one would look towards the event, <a href="https://developer.mozilla.org/en/XUL/Events#Mutation_DOM_events" rel="nofollow">DOMNodeInserted</a>. However it is fired after the element has already been added. <strong><em>note</em></strong>, per Raynos these are currently <a href="http://www.w3.org/TR/DOM-Level-3-Events/#events-mutationevents" rel="nofollow">deprecated</a>. </p> <blockquote> <p>DOMNodeInserted Fired when a node has been added as a child of another node. This event is dispatched after the insertion has taken place. The target of this event is the node being inserted. Bubbles: Yes Cancelable: No Context Info: relatedNode holds the parent node</p> </blockquote> <p>In the end it appears there is no totally stop a <code>&lt;script/&gt;</code> being appended to the dom via some other javascript. (at least not that I can find).</p> <p>The best way I can suggest is to <strong><em>never ever trust user input as all user input is evil</em></strong>. When you do dom manipulation double check to make sure there are no forbidden tags, be it <code>&lt;script/&gt;</code> or even plain <code>&lt;p/&gt;</code> elements and sanitize all input before it is persisted. </p> <p>Also as John points out you need to worry about <strong><em>any</em></strong> element that can attach a <code>onclick</code> event or any inline javascript event handler.</p>
    singulars
    1. This table or related slice is empty.
    1. POIs Javascript/jQuery DOM creation safe until it's added to the document?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USMark Coleman
    1. USMark Coleman
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POIs Javascript/jQuery DOM creation safe until it's added to the document?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COThanks for your interesting observations. So it seems it would be a safe-ish way of doing it, only if when you finally do `$dom.appendTo('body')` all script (and any other "bad" elements) are striped out. There doesn't seem to be any reliable way for a user to otherwise "force" the DOM to evaluate any code, because as you say, "they are simply instances of HTML Element." By the way -- "double check to make sure there are no invalid tags" -- there's no such thing as an "invalid" tag ;-) "<hello>" is just as valid as "<ul>"
      singulars
      1. PO
      1. USGary Green
    2. CO@Gary, I adjusted to say forbidden tags or tags you don't deem safe and want stripped out. `:)`
      singulars
      1. PO
      1. USMark Coleman
    3. CO@Mark DOM mutation events are currently deprecated and the spec is being re-written. So don't expect those to become standard in the near future.
      singulars
      1. PO
      1. USRaynos
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload