Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Jul 2012
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts

    document.location injection prevention and sanitation, help

    Hey Guys!
    I am a complete noob with JavaScript and I need some suggestions if possible...
    I have a swf file loading from html but I am using the following javascript script:

    Code:
    <SCRIPT LANGUAGE="JavaScript">
    <!--
    document.write(
      '<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"\n'+
       ' codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0"\n'+
       ' WIDTH="800" HEIGHT="675" id="MBid">\n'+
       ' <PARAM NAME=movie VALUE="MBid.swf'+document.location.search+'">\n'+
       ' <PARAM NAME=quality VALUE=high>\n'+
       ' <PARAM NAME=bgcolor VALUE=#FFFFFF>\n'+
       ' <PARAM NAME=wmode VALUE=Opaque>\n'+
       ' <EMBED src="MBid.swf'+document.location.search+'"\n'+ 
       '  quality=high bgcolor=#FFFFFF wmode=transparent WIDTH="800" HEIGHT="675" NAME="MBid"\n'+
       '  TYPE="application/x-shockwave-flash"\n'+
       '  PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED>\n'+
       '</OBJECT>');
    //-->
    </SCRIPT>
    I am worried about the document.location.search that I use for sending a string variable to flash...
    Someone can perform a "flash parameter injection" right?
    How would I go to perform some kind of Sanitation inside the javascript code? (expecting only letters a-z and numbers 0-9)
    Any ideas?
    Thanks a lot in advance!!!
    Cheers!

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,133
    Thanks
    75
    Thanked 4,338 Times in 4,304 Posts
    document.location.search *WILL* include the ? but it looks to me like you actually want that.

    So you could do
    Code:
    <script type="text/javascript">
    var srch = document.location.search;
    if ( srch.length > 1 )
    {
        srch = srch.substring(1); // strip off the ?
        srch = srch.replace(/[^\w]/g,""); // zap all except letters, numbers, underline
        document.write(
       '<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"\n'+
       ' codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0"\n'+
       ' WIDTH="800" HEIGHT="675" id="MBid">\n'+
       ' <PARAM NAME=movie VALUE="MBid.swf?'+srch+'">\n'+
       ' <PARAM NAME=quality VALUE=high>\n'+
       ' <PARAM NAME=bgcolor VALUE=#FFFFFF>\n'+
       ' <PARAM NAME=wmode VALUE=Opaque>\n'+
       ' <EMBED src="MBid.swf?'+srch+'"\n'+ 
       '  quality=high bgcolor=#FFFFFF wmode=transparent WIDTH="800" HEIGHT="675" NAME="MBid"\n'+
       '  TYPE="application/x-shockwave-flash"\n'+
       '  PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED>\n'+
       '</OBJECT>');
    }
    </script>
    Notice I put the ? back in explicitly, after stripping it off in the testing.

    Also: language=javascript is LONG obsolete
    Also: the need for <!-- and //--> went away when MSIE 3 died, about 1998.
    Also: document.write is also considered obsolescent, but we can probably make a case for its use in this circumstance.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #3
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,133
    Thanks
    75
    Thanked 4,338 Times in 4,304 Posts
    If you want to also disallow underlines (though I think they are probably okay), you can change /[^w]/g to /[^A-Za-z0-9]/g

    But I'm curious: This will also mean that the query string can't contain any = signs.

    That is, you can't pass "name=bob&size=30"

    Is that what you need?
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #4
    New Coder
    Join Date
    Jul 2012
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hey Pedant!
    Thanks a lot for your kind help!!
    Now I have a wider vision as to how it could work...

    Let me explain better what I need to pass from html/java to flash...

    I need to pass these variables (only sometimes and separated, not at the same time):

    www.mysite.com?actnum=53253838340
    www.mysite.com?referral=user_3

    just for reference: the only characters that I need/Expect from url variable are: 0-9 a-z A-Z _ -

    I tried to tweek your script but I can't get it to work properly, maybe with this information you can help me out based on this data.

    Thanks A LOT!!
    cheers!

  • #5
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,133
    Thanks
    75
    Thanked 4,338 Times in 4,304 Posts
    Okay...not hard.

    Code:
    var valid = /^\?[a-z]+\=[\w]+$/i;
    var srch = document.location.search;
    if ( valid.test( srch ) )
    {
        srch = srch.substring(1); // strip off the ... we know rest is valid!
        document.write( ... as above ... );
    }
    That assumes, as you said, that there is only *ONE* name=value pair after the ?

    If you wanted to allow more than one pair, you could try:
    Code:
    var valid = /^\?[a-z]+\=[\w]+(\&[a-z]+\=[\w]+)*$/i;
    ... rest same ...
    Or, if you wanted to *ONLY* allow actnum= or referral= you could do
    [code]
    Code:
    var valid = /^\?(actnum|referral)\=[\w]+$/i;
    ... rest same ...
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #6
    New Coder
    Join Date
    Jul 2012
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Thumbs up

    Awesome!!
    Thanks a lot Pedant!!!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •