In short, all someone has to do is use JavaScript's cookie code to fetch your PerlMonks cookie and deliver it to the malicious user. You don't even have to click a button. Put the JavaScript in an <img src="javascript:do_evil()"> tag, or any of the other dozens of ways of invoking JavaScript, which will neatly circumvent most regexp means of preventing it. The browser has to assume that all code and content coming from a web site is "sanctioned" and approved by that web site, so anything that comes in and tries to muck with the site's cookies or whatever has to be considered legitimately from that site, which means it'll be permitted.

The bottom line: Allowing anybody to put their own content on your web site (such as message boards or sites like this) is a bad idea unless you severely limit what they're allowed to put up. This includes all scripting languages and quite a lot of HTML tags and attributes. As much as I'd hate to see JavaScript go, it's simply not possible to write a secure "parser" that will remove evil JavaScript and permit what's left.

I'd like to thank of all of you who wear the white hats and let me know about potential problems, sadly it's inevitable that not all people with wear the white hat.

vroom | Tim Vroom | vroom@cs.hope.edu

Sad, sad day.

Well, silver lining time: Lets add a new toy to replace the old JS one! Here is what I am thinking: PM-code already scans through a node looking for [ and ] and <code> tags and such. Why not start a library of user defined PM tags. These tags would call a predefined function that does something. (This is like a specialized Server side include, which is not the same as the client side JavaScript) This library would be under the direct control of either Vroom or a few high level monks. (Either another clan or just the saints or something.) Anyway, the idea being that when you come up with something cute you would like to have on your node you submit it to the maintainer of the library who then tells you the tag to use. (or not if the idea is rejected.) Other users can then incorporate these new ideas as they choose by using the same tags. And of course, a few data points will be made available to this library (visitor's name, level, and maybe XP for example)

So, an example:

sub SetRandomBGColor
{
    my @colorset = qw( aqua white yellow lime );
    my $color = $colorset[rand(@colorset)];
    print "<style><!-- body { background-color:$color;} --></style>";
}

# This could then be used to do something like:
#
# <PM SetRandomBGColor>
#
[download]

Personally, I do not wish to see JavaScript removed from homenodes. I want to see people who abuse the privelage (sp?) banned from the site. I think you should need level 2 or 3 or higher before you can put anything other then <p> on your home node. Ok, maybe they should just be limited to Perl Monks Approved HTML tags. But still, once a person has established themselves as a member of the community their home node should be a place of expression. They should be allowed to do almost anything there (within reason... as defined as non-malicious).

• Some new user posts a javascript that kicks you to another node.
• Some new user posts a javascript on the other node that kicks you back to the first one.

Of course, someone could do the same thing with a refresh <meta> tag. Those aren't allowed any more, are they?

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.

Can anyone tell us a *good* use they've put javascript to on their home node? (besides kudra and jcwren's tag-team thang.)

Philosophy can be made out of anything. Or less -- Jerry A. Fodor

I've done an automatic PM surfer, that automatically surfs the PM site. It is good for me, and I need to have it on my home node because of JS security issues (one isn't allowed to read contents from windows loaded from other sites, which is good).
I usually log out before I use it, making surf around as AnonMonk.

However, if someone uses atomatic JS stunts to do bad stuff to others, I believe in removing the user, not their tool.

/brother t0mas

just b.t.w., when did you change your password last ? :-))

Have a nice day
All decision is left to your taste

--
$you = new YOU;
honk() if $you->love(perl)

Just a small note. I don't know about anyone else, but mt2k's node does bounce me to the login page, but does not log me out...

"sometimes when you make a request for the head you don't
want the big, fat body...don't you go snickering."
                                         -- Nathan Torkington UoP2K a.k.a gnat

The only thing JavaScripty about the node is that it automatically submits a form.

I could write my own form, with a hidden node_id field and a carefully prepared chatterbox message, and do the same thing. Without JavaScript, it's not even as malicious as assume all vroom's godly powers.

I didn't mind mt2k's bounce particularly, but I do object to being logged out on j.a.p.h.'s home node, even though the timeout makes it less of a sudden blast of white.

Forced redirection is not one of my favourite things.