...

View Full Version : document.location injection prevention and sanitation, help



nightkarnation
07-10-2012, 07:48 PM
Hey Guys!
I am a complete noob with JavaScript and I need some suggestions if possible...
I have a swf file loading from html but I am using the following javascript script:



<SCRIPT LANGUAGE="JavaScript">
<!--
document.write(
'<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"\n'+
' codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0"\n'+
' WIDTH="800" HEIGHT="675" id="MBid">\n'+
' <PARAM NAME=movie VALUE="MBid.swf'+document.location.search+'">\n'+
' <PARAM NAME=quality VALUE=high>\n'+
' <PARAM NAME=bgcolor VALUE=#FFFFFF>\n'+
' <PARAM NAME=wmode VALUE=Opaque>\n'+
' <EMBED src="MBid.swf'+document.location.search+'"\n'+
' quality=high bgcolor=#FFFFFF wmode=transparent WIDTH="800" HEIGHT="675" NAME="MBid"\n'+
' TYPE="application/x-shockwave-flash"\n'+
' PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED>\n'+
'</OBJECT>');
//-->
</SCRIPT>


I am worried about the document.location.search that I use for sending a string variable to flash...
Someone can perform a "flash parameter injection" right?
How would I go to perform some kind of Sanitation inside the javascript code? (expecting only letters a-z and numbers 0-9)
Any ideas?
Thanks a lot in advance!!!
Cheers!

Old Pedant
07-10-2012, 08:28 PM
document.location.search *WILL* include the ? but it looks to me like you actually want that.

So you could do

<script type="text/javascript">
var srch = document.location.search;
if ( srch.length > 1 )
{
srch = srch.substring(1); // strip off the ?
srch = srch.replace(/[^\w]/g,""); // zap all except letters, numbers, underline
document.write(
'<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"\n'+
' codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0"\n'+
' WIDTH="800" HEIGHT="675" id="MBid">\n'+
' <PARAM NAME=movie VALUE="MBid.swf?'+srch+'">\n'+
' <PARAM NAME=quality VALUE=high>\n'+
' <PARAM NAME=bgcolor VALUE=#FFFFFF>\n'+
' <PARAM NAME=wmode VALUE=Opaque>\n'+
' <EMBED src="MBid.swf?'+srch+'"\n'+
' quality=high bgcolor=#FFFFFF wmode=transparent WIDTH="800" HEIGHT="675" NAME="MBid"\n'+
' TYPE="application/x-shockwave-flash"\n'+
' PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED>\n'+
'</OBJECT>');
}
</script>

Notice I put the ? back in explicitly, after stripping it off in the testing.

Also: language=javascript is LONG obsolete
Also: the need for <!-- and //--> went away when MSIE 3 died, about 1998.
Also: document.write is also considered obsolescent, but we can probably make a case for its use in this circumstance.

Old Pedant
07-10-2012, 08:31 PM
If you want to also disallow underlines (though I think they are probably okay), you can change /[^w]/g to /[^A-Za-z0-9]/g

But I'm curious: This will also mean that the query string can't contain any = signs.

That is, you can't pass "name=bob&size=30"

Is that what you need?

nightkarnation
07-10-2012, 09:31 PM
Hey Pedant!
Thanks a lot for your kind help!!
Now I have a wider vision as to how it could work...

Let me explain better what I need to pass from html/java to flash...

I need to pass these variables (only sometimes and separated, not at the same time):

www.mysite.com?actnum=53253838340
www.mysite.com?referral=user_3

just for reference: the only characters that I need/Expect from url variable are: 0-9 a-z A-Z _ -

I tried to tweek your script but I can't get it to work properly, maybe with this information you can help me out based on this data.

Thanks A LOT!!
cheers!

Old Pedant
07-10-2012, 09:58 PM
Okay...not hard.



var valid = /^\?[a-z]+\=[\w]+$/i;
var srch = document.location.search;
if ( valid.test( srch ) )
{
srch = srch.substring(1); // strip off the ... we know rest is valid!
document.write( ... as above ... );
}

That assumes, as you said, that there is only *ONE* name=value pair after the ?

If you wanted to allow more than one pair, you could try:


var valid = /^\?[a-z]+\=[\w]+(\&[a-z]+\=[\w]+)*$/i;
... rest same ...


Or, if you wanted to *ONLY* allow actnum= or referral= you could do


[code]
var valid = /^\?(actnum|referral)\=[\w]+$/i;
... rest same ...

nightkarnation
07-11-2012, 02:16 AM
Awesome!!
Thanks a lot Pedant!!!



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum