Input field for javascript / json input and security issues

Question

Input field for javascript / json input and security issues

I want visitors to my web pages to access a text area where they can write a small bit of javascript to configure certain functions.

Imagine javascript looks something like this:

{
max: 100;
allowFeedback false;
filterEnabled: true,
}

I would like to evaluate what they write, and then my javascript will do something depending on your options:

so this will be:

var userCode = document.getElementById ("textarea"). value;
var result = eval (userCode);
.. if (result.filterEnabled) {...}
if (result.allowFeedback) {...} ...

Question: can user really enter any javascript there? something evil, something wrong, what can I do to check its code before execution?

Many thanks

+4

json javascript security

Chez Apr 15 '10 at 13:06

source share

5 answers

Satya prakash · Answer 1 · 2010-09-23T07:22:50+0000

Read this article on JSON and security. There is also code and an example. Parsing JSON using JSON Parser or eval ()! . This should be useful for you.

Arkku · Answer 2 · 2010-04-15T13:12:20+0000

If you eval what you write, they could write and run any javascript that you could write at the place of the eval call. I would only suggest allowing very limited syntax (e.g. variable=value with a limited set of allowed variables and values) and then parse this.

Edit: if available, you can also use the JSON parser for JavaScript instead of eval , for example. JSON.parse .

Simone margaritelli · Answer 3 · 2010-04-15T13:13:53+0000

Read this on CSRF ... it is not recommended to parse any user input, trust me.

rook · Answer 4 · 2010-04-15T16:18:06+0000

The code you posted is vulnerable to DOM Based XSS , and all XSS rules still apply. Often these vulnerabilities can be found in JavaScript, but this is a good example. I would not use this code. If you really want this feature, then you should put it in your own domain, which has no sessions / authentication / anything useful.

Praveen kumar patidar · Answer 5 · 2013-02-12T06:24:52+0000

I had a similar use for a long time. This may seem like a childish answer, but before evaluating you can analyze characters like <> and. on purpose. So the content will no longer be a valid program. The main scenarios contain points and <>, which can be filtered for evaluation. or replace some other characters.

Input field for javascript / json input and security issues

More articles: