View Full Version : restricting document.write and document.createTextNode

Mar 1st, 2007, 12:12 AM

I noticed on some sites that allow you to write html and javascript into them for various reasons(auction sites, social networking sites etc) that they restrict the use of certain functions in javascript like document.write and document.creadteTextNode. My question is how do you do this? If I make a site that allows users to insert such code how could I duplicate this effect and how could this be defeated ?

Mar 1st, 2007, 12:42 AM
You will probably need to use regular expressions in order to search for patterns in submitted text and remove anything that you don't wish to allow submitted.

Mar 1st, 2007, 12:43 AM
Likely they do this by creating a whitelist or blacklist of certain JS functions, and restrict JS usage in this way...I recommend using a whitelist for the greatest security, since your users are only likely to need certain JS functions...

Mar 1st, 2007, 10:16 AM
well actually I didn't mean it like this: you have a textarea where you input html and then you click next and they if you insert document.write some red text appears saying you aren't allowed to use it. This is pretty straight-forward.

On these sites I can include document.write and it will be accepted but it will not work in the final document. On ebay for example whenever you post a new auction a javascript file is generated "viewitembody_eXXXXus.js" if of course you are on the us website othewise it can be fr or it or es or whatever and the X are numbers.

Anyway I don't have an ebay account because I am not a trader but I saved one of the existing public auctions and noticed this:

if I write document.write or document.createtextelement in the description div it doesn't work until I delete this line:

<script src="http://include.ebaystatic.com/js/e497/us/features/viewitem/viewitembody_eXXXXus.js">

I was wondering how they did this? I noticed this in other sites as well