Prev: Scoping Issue
Next: Determining Browser Vendor, Version, and Operating System With JavaScript
From: Richard Cornford on 10 Jun 2010 08:53
On Jun 10, 1:36 pm, Gordon wrote:
> On Jun 10, 8:56 am, Bwig Zomberi wrote:
>> > On Jun 6, 10:17 pm, Bwig Zomberi wrote:
>>>> Bwig Zomberi wrote:
>
>>>>> Can someone explain how click jacking is done? And, provide
>>>>> some code. Also, some info on countermeasures would be great.
<snip>
>
>> I am specifically worried on clickjacking in user-generated
>> content.
<snip>
>> It affects sites such as Facebook and Twitter.
>
>> I plan to create some comment forms on my site. Would it be enough
>> if I remove iframes tags or would I have to strip all tags?
>
> Stripping all <script> tags and tags that allow inline content
> such as iframes should cover most cases.

Intrinsic event attributes would also have to be removed. Probably
along with STYLE attributes and elements (and LINKs that import
external style sheets) so IE's - expression - extension to CSS could
not be employed.

It is probably easier to do what some other sites do an provide a
limited set of alternative 'mark-up' symbols, say - [p] - for an
opening paragraph tag, and transform those into the HTML mark-up that
will be used, with everything that is not in that (small) set of
symbols appropriately escaped/entified (so things like '<' converted
to '&lt;') so that any mark-up it may contain will not be recognised
as such by the browser.

> You'd be far better doing it server side though, as client side
> validation with javascript is easily turned off.

Yes, attempting to sanitize user input only on the client is a waste
of effort.

Richard.
First  |  Prev  | 
Pages: 1 2
Prev: Scoping Issue
Next: Determining Browser Vendor, Version, and Operating System With JavaScript