How do I turn javascript off PROGRAMATICALLY?

Re: How do I turn javascript off PROGRAMATICALLY ?

Csaba Gabor wrote:
[color=blue]
> So I'm looking for something that will Just say, "No"
> to Javascript "happening" between certain TD tags.[/color]

This type of attack is knowns as cross-site scripting.

You will need to strip or escape all characters which have special
meaning when generating HTML, see
http://www.cert.org/tech_tips/malici...itigation.html for details.

--
Klaus Johannes Rusch
KlausRusch@atme dia.net

Re: How do I turn javascript off PROGRAMATICALLY ?

Csaba Gabor wrote:
[color=blue]
> I'm not talking javascript hara-kiri here. I've got
> a database of web pages or snippets I've created
> and I'd like to display them in a table. So on my
> server (in PHP) I take all the files, and plunk the
> text for each between <TD> tags and return that
> page, everyone's happy.
>
> Now some joker (me) comes along and puts the single line
>
> <SCRIPT>alert(' Hi mom')</SCRIPT>Dad
>
> as the the entry for one file. Sure enough, when
> the client gets the page s/he also gets an alert.
> So what I'd like to do is to turn off any "immediate
> scripting" that happens due to <SCRIPT> tags
> within the <TABLE> element (or even the whole
> document).
>
> But wait, it gets worse. Plunk the following in between
> TD tags (on my IE 6 or Opera 7.23 anyway) and I still
> get the alert:
>
> <html><head><ti tle>hi mom alert test</title></head>
> <body onLoad='alert(" Hi Mom")'>Dad</body></html>
>
> So I'm looking for something that will Just say, "No"
> to Javascript "happening" between certain TD tags.
>
> You know in IE when you click on a .HTM or .HTML
> file you get a minimalist preview of it on the left? That's
> what I want these containing TDs to be.
>
> Thanks, Csaba Gabor
> PS. There's a (post TD) part two to this if we get past
> this part one.
>
>[/color]

You cannot turn off Javascript for the page, but you can filter the
output on the server. The PHP symantecs is out of the scope of this
group, but what it comes down to is this:

When your PHP code outputs it's data fields, do the following:

1. Replace '<' characters with &lt;
2. Replace '>' characters with &gt;

This will cause the data to show up as text, so the script block will
show up exactly the way it is typed, and not execute in the browser.

Brian

Re: How do I turn javascript off PROGRAMATICALLY ?

Klaus Johannes Rusch wrote:[color=blue]
> Csaba Gabor wrote:[color=green]
>> So I'm looking for something that will Just say, "No"
>> to Javascript "happening" between certain TD tags.[/color]
>
> This type of attack is knowns as cross-site scripting.[/color]

It wouldn't only apply to scripting. What happens when someone enters:-

<iframe src="#"></iframe>

? (that potentially gets quite recursive.)
[color=blue]
> You will need to strip or escape all characters which have special
> meaning when generating HTML, see
> http://www.cert.org/tech_tips/malici...itigation.html for
> details.[/color]

Yes, escaping anything that has meaning in HTML, either as the output
page is built or as the data goes into the database (trading an increase
in required storage space for only having to do the job once for each
item).

Richard.

Re: How do I turn javascript off PROGRAMATICALLY ?

Csaba Gabor wrote:
[color=blue]
> I'm not talking javascript hara-kiri here. I've got
> a database of web pages or snippets I've created
> and I'd like to display them in a table. So on my
> server (in PHP) I take all the files, and plunk the
> text for each between <TD> tags and return that
> page, everyone's happy.
>
> Now some joker (me) comes along and puts the single line
>
> <SCRIPT>alert(' Hi mom')</SCRIPT>Dad
>
> as the the entry for one file. Sure enough, when
> the client gets the page s/he also gets an alert.
> So what I'd like to do is to turn off any "immediate
> scripting" that happens due to <SCRIPT> tags
> within the <TABLE> element (or even the whole
> document).
>
> But wait, it gets worse. Plunk the following in between
> TD tags (on my IE 6 or Opera 7.23 anyway) and I still
> get the alert:
>
> <html><head><ti tle>hi mom alert test</title></head>
> <body onLoad='alert(" Hi Mom")'>Dad</body></html>
>
> So I'm looking for something that will Just say, "No"
> to Javascript "happening" between certain TD tags.
>
> You know in IE when you click on a .HTM or .HTML
> file you get a minimalist preview of it on the left? That's
> what I want these containing TDs to be.
>
> Thanks, Csaba Gabor
> PS. There's a (post TD) part two to this if we get past
> this part one.
>
>[/color]

Perhaps htmlentities() in PHP might be of some help.

See http://ca2.php.net/htmlentities
or http://www.php.net/htmlentities

Re: How do I turn javascript off PROGRAMATICALLY ?

JRS: In article <4083c5f4@andro meda.datanet.hu >, seen in
news:comp.lang. javascript, Csaba Gabor <news@CsabaGabo r.com> posted at
Mon, 19 Apr 2004 14:19:55 :[color=blue]
>I'm not talking javascript hara-kiri here. I've got
>a database of web pages or snippets I've created
>and I'd like to display them in a table. So on my
>server (in PHP) I take all the files, and plunk the
>text for each between <TD> tags and return that
>page, everyone's happy.
>
>Now some joker (me) comes along and puts the single line
>
><SCRIPT>alert( 'Hi mom')</SCRIPT>Dad[/color]


You have problems of an altogether different nature, too.

You are, legally, the publisher of whatever appears on your site; and
you may be held responsible if illegal material appears on it.

After the beginning of next month, at least, you will need to comply
with EU law or risk the consequences.

--
© John Stockton, Surrey, UK. ?@merlyn.demon. co.uk Turnpike v4.00 IE 4 ©
<URL:http://jibbering.com/faq/> Jim Ley's FAQ for news:comp.lang. javascript
<URL:http://www.merlyn.demo n.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demo n.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.

Re: How do I turn javascript off PROGRAMATICALLY ?

Dr John Stockton wrote:[color=blue]
> JRS: In article <4083c5f4@andro meda.datanet.hu >, seen in
> news:comp.lang. javascript, Csaba Gabor <news@CsabaGabo r.com> posted at
> Mon, 19 Apr 2004 14:19:55 :
>[color=green]
>>I'm not talking javascript hara-kiri here. I've got
>>a database of web pages or snippets I've created
>>and I'd like to display them in a table. So on my
>>server (in PHP) I take all the files, and plunk the
>>text for each between <TD> tags and return that
>>page, everyone's happy.
>>
>>Now some joker (me) comes along and puts the single line
>>
>><SCRIPT>alert ('Hi mom')</SCRIPT>Dad[/color]
>
>
>
> You have problems of an altogether different nature, too.
>
> You are, legally, the publisher of whatever appears on your site; and
> you may be held responsible if illegal material appears on it.
>
> After the beginning of next month, at least, you will need to comply
> with EU law or risk the consequences.
>[/color]

What law are you speaking of?

Re: How do I turn javascript off PROGRAMATICALLY ?

In article <maqV68CG5DhAFw mq@merlyn.demon .co.uk>,
spam@merlyn.dem on.co.uk enlightened us with...[color=blue]
>
>
> You have problems of an altogether different nature, too.
>
> You are, legally, the publisher of whatever appears on your site; and
> you may be held responsible if illegal material appears on it.
>
> After the beginning of next month, at least, you will need to comply
> with EU law or risk the consequences.
>[/color]

Would sites in other countries also need to comply with EU law?
How could they possibly hope to ensure such compliance?

--
--
~kaeli~
Press any key to continue or any other key to quit

Re: How do I turn javascript off PROGRAMATICALLY ?

JRS: In article <MPG.1aeefd67bd 38c0cc989d96@nn tp.lucent.com>, seen in
news:comp.lang. javascript, kaeli <tiny_one@NOSPA M.comcast.net> posted at
Tue, 20 Apr 2004 10:27:42 :[color=blue]
>In article <maqV68CG5DhAFw mq@merlyn.demon .co.uk>,
>spam@merlyn.de mon.co.uk enlightened us with...[color=green]
>>
>>
>> You have problems of an altogether different nature, too.
>>
>> You are, legally, the publisher of whatever appears on your site; and
>> you may be held responsible if illegal material appears on it.
>>
>> After the beginning of next month, at least, you will need to comply
>> with EU law or risk the consequences.
>>[/color]
>
>Would sites in other countries also need to comply with EU law?
>How could they possibly hope to ensure such compliance?[/color]

The USA appears to believe that it has extraterritoria l legal rights;
why should the EU not have otherwise, perhaps even by treaty?

I believe that Web sites based in the USA or under the control of an
American are requited to comply with American law, and so on.

Let us suppose that you, believed to be an American in America, host
such a site; and that it is used by persons unknown for distributing
messages in support of OBL, YA, and other undesirables, or encouraging
and assisting criminal activity within the USA. ISTM likely that the
FBI, the DHS, or some other Federal agency will become Manifestly
Displeased.

--
© John Stockton, Surrey, UK. ?@merlyn.demon. co.uk Turnpike v4.00 MIME. ©
Web <URL:http://www.merlyn.demo n.co.uk/> - FAQish topics, acronyms, & links.
Proper <= 4-line sig. separator as above, a line exactly "-- " (SonOfRFC1036)
Do not Mail News to me. Before a reply, quote with ">" or "> " (SonOfRFC1036)

Re: How do I turn javascript off PROGRAMATICALLY ?

That's why I want to be able to encapsulate what IE is already able
to do. OK, I've come to the conclusion that I can't really do what I had
wanted very safely. I coded up some regular expressions in PHP
to 1) remove SCRIPT tags, and 2) any onXXX attributes (excluding
onClick) (there were too many that might fire to be selective, such as
onReadyStateCha nge, onResize, onMouseover, blah blah blah),
and 3) src attributes, except for images.

Besides being dog slow, there are still plenty of susceptibilitie s such
as from CSS attributes set locally applying globally (e.g. if one of
the pages to be inserted with the TD element has <BODY bgColor='pink'>
my page will no longer be pretty in pink (groan)).

Furthermore, one of the contained "pages" (they're snippets, after all)
could start off </TD></TR></TABLE> and really wreak layout havoc.
The point is, I would expect to no longer get a valid page anymore.

So, I'm back to my original version of just displaying the underlying
page's text with overflow control.

Csaba Gabor

Re: How do I turn javascript off PROGRAMATICALLY ?

This is way off topic but a very interesting thread.
First off, just to clarify a bit, the table for showing
these encapsulated web pages/snippets is only
meant for me so I don't run into your issues, but
acutally I am curious if you could mention some
specifics about this law or provide a link.

The EU has already passed laws governing the
action of non EU citizens abroad. As I understand
it, if you sell something to an EU citizen, the EU wants
you to collect VAT on its behalf and send it in, right?

Meanwhile, the US had a well publicized case
in the last few years. Remember Dimitri Skylarof?
He's the Russian guy who worked for a company
and legally (in Russia) cracked an Adobe encryption
scheme for his employer, Elcomsoft, a Russian
company (should go to trial later this year).
US grants him a visa and when he arrives to
Vegas, WHAM, Adobe sics the feds on him
for breaking the DMCA, which is a US law that
says you shall not divulge anything about electronic
security flaws no matter how bad they are. Really,
I have to wonder if web programmers fighting against
all the browser bugs there are are violating this law
en masse, for many bugs could be construed as a
form of protection. Sound too farfetched?...

Finally, consider the recent situation that arose in
Hungary. Turns out, doctors in Hungary don't have
the same salary as their western counterparts.
Surprise! So they collect tips. Up front. It's called
gratitude money ("hála pénz"). This is nothing new, it's
been done for years and years. Somebody set up a
website to collect information on how much various
doctors were charging. When the press got ahold of
this there was a huge stink. The government wasn't
happy because it made them look cheap PLUS they
figured out they weren't getting taxes on that money.
The doctors weren't happy cause it made them seem
dirty (the people weren't getting the services that the
government was telling them they were entitled to).
The citizens were not happy because they could either
pay an extra month's worth of wages or wonder whether
the doctor would see them. Of course the news didn't
make any difference to them because everybody already
knew about the situation anyway.

But then a government minister figured that the privacy
of them there doctors was being violated. Can you
imagine? They are flagrantly demanding money from
people (the public) who have already paid to use their
services, and then saying that compiling this information
violates their privacy? I was surprised to hear that
the guy very nicely took his web page down. A month
later I was astounded to hear that the guy was getting sued.
Wait a sec, hadn't he taken his site down right away?
Well, yes, but some guy in America copied the data
and then reposted it when the original site went down.
They evidently couldn't sue the guy in America so they're
going after this guy, I suppose on the grounds that if he
hadn't put up his web site, the guy in America wouldn't
have been able to copy it. I have no idea of the disposition
of this case, but I am curious.

Hoping you don't run afoul of another country's
unknown law that applies to you,
Csaba Gabor

Re: How do I turn javascript off PROGRAMATICALLY ?

Richard Cornford wrote:
[color=blue]
> Klaus Johannes Rusch wrote:[color=green]
> > Csaba Gabor wrote:[color=darkred]
> >> So I'm looking for something that will Just say, "No"
> >> to Javascript "happening" between certain TD tags.[/color]
> >
> > This type of attack is knowns as cross-site scripting.[/color]
>
> It wouldn't only apply to scripting. What happens when someone enters:-
>
> <iframe src="#"></iframe>
>
> ? (that potentially gets quite recursive.)
>[color=green]
> > You will need to strip or escape all characters which have special
> > meaning when generating HTML, see
> > http://www.cert.org/tech_tips/malici...itigation.html for
> > details.[/color]
>
> Yes, escaping anything that has meaning in HTML, either as the output
> page is built or as the data goes into the database (trading an increase
> in required storage space for only having to do the job once for each
> item).
>
> Richard.[/color]

You really don't need to escape "everything " that has meaning. Simply
replace any "<" characters with "&lt;" during output.

Any HTML entered by an end-user will simply appear in the output as HTML,
but will not be parsed by the browser.

--
| Grant Wagner <gwagner@agrico reunited.com>

* Client-side Javascript and Netscape 4 DOM Reference available at:
*


* Internet Explorer DOM Reference available at:
*


* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 7 / Mozilla
* http://www.mozilla.org/docs/web-deve...upgrade_2.html

Re: How do I turn javascript off PROGRAMATICALLY ?

"Grant Wagner" <gwagner@agrico reunited.com> wrote in message
news:40882784.7 4FC5837@agricor eunited.com...[color=blue]
> Richard Cornford wrote:
>[color=green]
> > Klaus Johannes Rusch wrote:[color=darkred]
> > > Csaba Gabor wrote:
> > >> So I'm looking for something that will Just say, "No"
> > >> to Javascript "happening" between certain TD tags.
> > >
> > > This type of attack is knowns as cross-site scripting.[/color]
> >
> > It wouldn't only apply to scripting. What happens when someone enters:-
> >
> > <iframe src="#"></iframe>
> >
> > ? (that potentially gets quite recursive.)
> >[color=darkred]
> > > You will need to strip or escape all characters which have special
> > > meaning when generating HTML, see
> > > http://www.cert.org/tech_tips/malici...itigation.html for
> > > details.[/color]
> >
> > Yes, escaping anything that has meaning in HTML, either as the output
> > page is built or as the data goes into the database (trading an increase
> > in required storage space for only having to do the job once for each
> > item).
> >
> > Richard.[/color]
>
> You really don't need to escape "everything " that has meaning. Simply
> replace any "<" characters with "&lt;" during output.
>
> Any HTML entered by an end-user will simply appear in the output as HTML,
> but will not be parsed by the browser.
>[/color]

Yes, that is what I reverted back to doing, only I should first replace "&"
characters
with "&amp;" and then replace "<" character with "&lt;"

Re: How do I turn javascript off PROGRAMATICALLY ?

You know, I've had another think about Richard's iframe line, and
I'm thinking that it might just be the ticket. When I get around to it,
I'll offer a choice to show selected columns as "protected" iframes.
I'll still rip out <SCRIPT> and do the other things that I already
mentioned to prevent the top level window/user from being aversely
affected, and then plunk whatever's left into an Iframe which I'll
stuff into the TD. There, now my top level window shouldn't
have to worry about attributes of elements with the iframes, right?


"Csaba Gabor" <news@CsabaGabo r.com> wrote in message
news:4085dbfb@a ndromeda.datane t.hu...[color=blue]
> That's why I want to be able to encapsulate what IE is already able
> to do. OK, I've come to the conclusion that I can't really do what I had
> wanted very safely. I coded up some regular expressions in PHP
> to 1) remove SCRIPT tags, and 2) any onXXX attributes (excluding
> onClick) (there were too many that might fire to be selective, such as
> onReadyStateCha nge, onResize, onMouseover, blah blah blah),
> and 3) src attributes, except for images.
>
> Besides being dog slow, there are still plenty of susceptibilitie s such
> as from CSS attributes set locally applying globally (e.g. if one of
> the pages to be inserted with the TD element has <BODY bgColor='pink'>
> my page will no longer be pretty in pink (groan)).
>
> Furthermore, one of the contained "pages" (they're snippets, after all)
> could start off </TD></TR></TABLE> and really wreak layout havoc.
> The point is, I would expect to no longer get a valid page anymore.
>
> So, I'm back to my original version of just displaying the underlying
> page's text with overflow control.
>
> Csaba Gabor
>
>[/color]