Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Jun 2008
    Posts
    102
    Thanks
    6
    Thanked 9 Times in 9 Posts

    Question Security risks of letting users execute javascript?

    I was thinking it would be kind of useful to have a console like thing on my website. If the site is a large website like this one, what kinds of security risks would be present if they could type in whatever text they wanted then execute it?
    I don't think it would be bad at all because they can just as easily do that in the URL bar of their browser.

    javascript: blah; blah;

    Also, there wouldn't be a way for their scripts to affect other users, or the server. At least, none I can think of.

    What are your thoughts/concerns?
    Last edited by hotwheelharry; 06-13-2008 at 03:39 PM.

  • #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,029
    Thanks
    203
    Thanked 2,539 Times in 2,517 Posts
    What would be the point?

    On the face of it it sounds a bad idea, but as you say their scripts would not affect other users or the server. Or not - what about AJAX?

  • #3
    Regular Coder
    Join Date
    Jun 2008
    Posts
    102
    Thanks
    6
    Thanked 9 Times in 9 Posts
    It would just be a fun little thing I guess. Do you think they could do any harm from it?

  • #4
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,350
    Thanks
    11
    Thanked 589 Times in 570 Posts
    i don't see any harm, other than inviting attacks.

    you can already do this using firebug, and selecting 'larger command line" under options.

    i have greasmonkey going on this forum that uses vbforum apis to perform some of the tasks.

    let the user arrange their bits however they want, it wont affect you, your site, or other users.



    one thing to watch out for is letting people post their scripts, and having the code be accessible to others. if users blindly execute unknown scripts, they could compromise cookie info, and open the usual mimetype handler issues associated with javascript hacking.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/5/28) IE7:0.1, IE8:5.3, IE11:8.4, IE9:3.2, IE10:3.2, FF:18.2, CH:46, SF:7.9, NON-MOUSE:32%

  • #5
    Regular Coder
    Join Date
    Jun 2008
    Posts
    102
    Thanks
    6
    Thanked 9 Times in 9 Posts
    ahh right, XSS right? ya, I don't want that.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •