From: Richard Cornford on 10 Jun 2010 08:53 On Jun 10, 1:36 pm, Gordon wrote: > On Jun 10, 8:56 am, Bwig Zomberi wrote: >> > On Jun 6, 10:17 pm, Bwig Zomberi wrote: >>>> Bwig Zomberi wrote: > >>>>> Can someone explain how click jacking is done? And, provide >>>>> some code. Also, some info on countermeasures would be great. <snip> > >> I am specifically worried on clickjacking in user-generated >> content. <snip> >> It affects sites such as Facebook and Twitter. > >> I plan to create some comment forms on my site. Would it be enough >> if I remove iframes tags or would I have to strip all tags? > > Stripping all <script> tags and tags that allow inline content > such as iframes should cover most cases. Intrinsic event attributes would also have to be removed. Probably along with STYLE attributes and elements (and LINKs that import external style sheets) so IE's - expression - extension to CSS could not be employed. It is probably easier to do what some other sites do an provide a limited set of alternative 'mark-up' symbols, say - [p] - for an opening paragraph tag, and transform those into the HTML mark-up that will be used, with everything that is not in that (small) set of symbols appropriately escaped/entified (so things like '<' converted to '<') so that any mark-up it may contain will not be recognised as such by the browser. > You'd be far better doing it server side though, as client side > validation with javascript is easily turned off. Yes, attempting to sanitize user input only on the client is a waste of effort. Richard.
First
|
Prev
|
Pages: 1 2 Prev: Scoping Issue Next: Determining Browser Vendor, Version, and Operating System With JavaScript |