No One Is Perfect

A reluctant foray into the world of blogging.

Posts Tagged javascript

Cross-Site Scripting vulnerability with JavaScript and JQuery

Oct 17

Posted by Tom in Reminders | 1 Comment

Think you’ve protected your site against Cross-Site scripting attacks by escaping all the content that you’ve rendered? Thought about your javascript?

Here’s a neat bug that got us today. This example is contrived to show a point.

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>XSS Example</title>
  <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script>
  <script>
    $(function() {
      $('#users').each(function() {
        var select = $(this);
        var option = select.children('option').first();
        select.after(option.text());
        select.hide();
      });
    });
  </script>
</head>
<body>
  <form method="post">
    <p>
      <select id="users" name="users">
        <option value="bad">&lt;script&gt;alert(&#x27;xss&#x27;);&lt;/script&gt;</option>
      </select>
    </p>
  </form>
</body>
</html>

See the problem? Don’t worry, neither did the pair that worked on the javascript. But our QA showed us a neat little alert box!

It looks like the JQuery text() method returns the unescaped payload of the option, and the after() method then creates a nice little script tag. Nasty stuff.

How did we deal with the problem? This was our immediate fix:

  // after() accepts a DOM element so lets create a text node
  select.after(document.createTextNode(option.text()));

Longer term fix – still open to suggestions.

Tags: , ,

Testing anti-patterns for developers

Mar 7

Posted by Tom in Soap Box, Software Development | 3 Comments

I’ve been saving this rant for a while now:

1. Test everything at the front-end, in exquisite detail – every project sponsor understands what tooltip 0 really means. Also a great idea if you like long-running and fragile tests that require deployments, browsers, testing frameworks and the kitchen sink. Testing at different layers, and perhaps even without a browser or (in java) a servlet container is for the weak.

2. Perform a database cleanup before and after every test, whether it needs to be done or not. For the truly adventurous add something about clearing out JMS queues and stopping scheduled tasks while you are running the cleanup tasks.

3. Always use the same data for tests, and better still use the same data for different tests. That way you will have do perform anti-pattern 2 with no questions asked. If anyone does ask about random or unique data just scoff sagely.

4. For those tied to java, run each test in its own JVM. If you happen to use a DI framework with lots of XML make sure it is initialised completely for each test. If anyone mentions forkmode=once just pretend to ignore them until they go away.

5. Write your application so that you need a JavaScript enabled browser before you can test anything at all. Progressive enhancement is only for those who cannot see.

Catharsis.

Tags: , , , , ,

JPasskeep and Command-Q on Mac

Feb 7

Posted by Tom in Mac, My Code | 4 Comments

I’ve released a new version of my long-running password keeper application: JPasskeep. This new release is now able to handle a Command-Q keystroke on the Mac, giving a user (i.e. me) an chance to save any updated entries. No more mousing around to close a window.

The actual mechanism to do this was to reflectively call Apple’s EAWT application classes to allow me to register the correct event listener. Hmm, run anywhere with java GUI apps.

You can download the cross-platform and mac DMG binaries from the project’s GitHub repository.

Tags: , , , , , ,