LordDan
05-19-2009, 06:45 PM
Hey guys,
I'm new to the forums and have a question relating security with user JavaScript. This post will be somewhat long winded as i like to explain in full detail.
The Aim
I have been developing the 3rd version of my website for awhile now. The website allows a user to create their own Virtual Pet Game by simply signing up, choosing a game name and clicking create. All the files are then generated (Core Language is PHP) and then they can edit their game, add new items and pets and so on using their games control panel, much like a built in backend admin panel.
With the upcoming 3rd version, I wanted to allow users to be able to create their own features and games using JS. And i would setup some prebuilt hidden functions like setMoney(xxx); for changing their game money etc.
These functions are hidden and cannot be edited, and use Ajax to work the required PHP to change the money.
However, i know allowing user JS is a security flaw. The users cannot upload their own JS files, but one is generated for them. They can then put JavaScript into this file (Via a textarea within their cPanel) and click the save button.
From here I use PHP's str_ireplace() function to remove JS (Or parts of functions) that could potentially be dangerous, as well as a few other bits. So far I have.
$NewJs = str_ireplace("getHTTPObject", "", $NewJs);
$NewJs = str_ireplace("onreadystatechange", "", $NewJs);
$NewJs = str_ireplace("request.open", "", $NewJs);
$NewJs = str_ireplace("request.send", "", $NewJs);
$NewJs = str_ireplace("readyState", "", $NewJs);
$NewJs = str_ireplace("JSON", "", $NewJs);
$NewJs = str_ireplace("document.cookie", "", $NewJs);
$NewJs = str_ireplace("XSS", "", $NewJs);
$NewJs = str_ireplace("iframe", "", $NewJs);
$NewJs = str_ireplace("jQuery", "", $NewJs);
$NewJs = str_ireplace("ajax", "", $NewJs);
$NewJs = str_ireplace("$.get", "", $NewJs);
$NewJs = str_ireplace("<script", "", $NewJs);
$NewJs = str_ireplace("</script>", "", $NewJs);
$NewJs = str_ireplace(">script", "", $NewJs);
$NewJs = str_ireplace("XMLHttpRequest", "", $NewJs);
$NewJs = str_ireplace("ActiveXObject", "", $NewJs);
What I would like to know is if I have missed anything important, or if there is another way of safely allowing JS whilst securing potentially dangerous functions.
[EDIT:] For purpose of clarity. Here is a hospital feature using some prebuilt functions that a user could make themselves.
function Hospital(money,petHealth,petMaxHealth){
if(money < 100){
document.getElementById('MyHospital').innerHTML = "Sorry, but you cannot afford my medical services.";
} else {
setHealth(petMaxHealth); // Prebuilt function to set pet health back to full.
var newMoney = money - 100;
setMoney(newMoney); // Prebuilt function to change money.
document.getElementById('MyHospital').innerHTML = "Don't worry, your pet will be fine. <br /> You paid 100 for medical treatment.";
}
}
This of course will allow users to make their game more custom. But security is an issue before i consider making it an available feature.
Thanks in advance. :thumbsup:
I'm new to the forums and have a question relating security with user JavaScript. This post will be somewhat long winded as i like to explain in full detail.
The Aim
I have been developing the 3rd version of my website for awhile now. The website allows a user to create their own Virtual Pet Game by simply signing up, choosing a game name and clicking create. All the files are then generated (Core Language is PHP) and then they can edit their game, add new items and pets and so on using their games control panel, much like a built in backend admin panel.
With the upcoming 3rd version, I wanted to allow users to be able to create their own features and games using JS. And i would setup some prebuilt hidden functions like setMoney(xxx); for changing their game money etc.
These functions are hidden and cannot be edited, and use Ajax to work the required PHP to change the money.
However, i know allowing user JS is a security flaw. The users cannot upload their own JS files, but one is generated for them. They can then put JavaScript into this file (Via a textarea within their cPanel) and click the save button.
From here I use PHP's str_ireplace() function to remove JS (Or parts of functions) that could potentially be dangerous, as well as a few other bits. So far I have.
$NewJs = str_ireplace("getHTTPObject", "", $NewJs);
$NewJs = str_ireplace("onreadystatechange", "", $NewJs);
$NewJs = str_ireplace("request.open", "", $NewJs);
$NewJs = str_ireplace("request.send", "", $NewJs);
$NewJs = str_ireplace("readyState", "", $NewJs);
$NewJs = str_ireplace("JSON", "", $NewJs);
$NewJs = str_ireplace("document.cookie", "", $NewJs);
$NewJs = str_ireplace("XSS", "", $NewJs);
$NewJs = str_ireplace("iframe", "", $NewJs);
$NewJs = str_ireplace("jQuery", "", $NewJs);
$NewJs = str_ireplace("ajax", "", $NewJs);
$NewJs = str_ireplace("$.get", "", $NewJs);
$NewJs = str_ireplace("<script", "", $NewJs);
$NewJs = str_ireplace("</script>", "", $NewJs);
$NewJs = str_ireplace(">script", "", $NewJs);
$NewJs = str_ireplace("XMLHttpRequest", "", $NewJs);
$NewJs = str_ireplace("ActiveXObject", "", $NewJs);
What I would like to know is if I have missed anything important, or if there is another way of safely allowing JS whilst securing potentially dangerous functions.
[EDIT:] For purpose of clarity. Here is a hospital feature using some prebuilt functions that a user could make themselves.
function Hospital(money,petHealth,petMaxHealth){
if(money < 100){
document.getElementById('MyHospital').innerHTML = "Sorry, but you cannot afford my medical services.";
} else {
setHealth(petMaxHealth); // Prebuilt function to set pet health back to full.
var newMoney = money - 100;
setMoney(newMoney); // Prebuilt function to change money.
document.getElementById('MyHospital').innerHTML = "Don't worry, your pet will be fine. <br /> You paid 100 for medical treatment.";
}
}
This of course will allow users to make their game more custom. But security is an issue before i consider making it an available feature.
Thanks in advance. :thumbsup: