3

I have a web page which is completely rendered on the server side (nodejs+phantomjs), I want to send this page to a client browser. The problem is the client browser tries to re-execute the javascript. Hence, I have two options:

  1. Disable javascript in the iframe that loads that page in the client
  2. Strip every javascript and js call/event from the page

Although I will not use the original javascript of the page, I will later on need to be able to add javascript events to the iframe.

It seems the first option can be realised by using the iframe 'sandbox' argument.. but that will prevent me from injecting other javascript later on. Hence I need a way to realize the second option, i.e. removing all the original javascript from the page.

Is there an efficient (and reliable) way to do so? I guess using regex could be a solution, but is it reliable?

fusio
  • 3,595
  • 6
  • 33
  • 47
  • I think you need to clarify the question. Is server side Javascript getting sent and therefore executed on the client (in which case, you're doing something terribly wrong)? Or you're trying to load a page in an iframe, but not allow Javascript in the iframe..? Why not? Is it just the onload Javascript that's getting executed? I don't understand what you're trying to do, but stripping the script tags out of HTML sounds like a hacky way to do it. – PherricOxide Jun 19 '13 at 21:21
  • remove all the script tags before you print it using the DOM or RegExp. – dandavis Jun 19 '13 at 21:23
  • @PherricOxide: I am loading a remote page into a virtual browser, the page is executed on the server. I then take the resulting DOM and load it into an iframe in the client. I do not want the original JS to be executed in that iframe, but I still want to attach my events to the page DOM. E.g. a page I am loading into the virtual browser opens a dialog jqueryui onload, I then send the resulting DOM to the client which tries to open the same dialog again. This is a follow up to [this](http://stackoverflow.com/questions/17196362/how-to-append-jquery-events-to-an-iframe-with-sandbox) question. – fusio Jun 19 '13 at 21:52

1 Answers1

4

I found a solution which appear to be working. I am not sure it is the best solution, but it is surely better than manually removing any JS reference from the document.. for my purposes.

Here's the trick: hijack js! I am just prepending in the <head> the following:

<script>
    Function.prototype.call = function(){}; 
    Function.prototype.apply = function(){};
    Function.prototype.bind = function(){};
</script>"

and JavaScript is disabled.

fusio
  • 3,595
  • 6
  • 33
  • 47
  • This is some weird stuff! Didn't expect native function calling to use the prototype functions. Javascript is such a magical language :) – Lodewijk Nov 09 '13 at 19:51
  • It doesn't prevent stuff like document.body.innerHTML = '' though. XSS really doesn't need more than that. – Lodewijk Nov 09 '13 at 19:53
  • 1
    @Lodewijk indeed, I ended up stripping all html ``on*`` events and all `` – fusio Nov 09 '13 at 23:14
  • 2
    !!!! IT IS NOT ENOUGH !!!! https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BODY_image Lists a ton of XSS tricks. The "javascript:" is a mayor headache that I just can't believe made it into HTML. Never knew about it before. Cursewords! – Lodewijk Nov 09 '13 at 23:28
  • @fusio how do I remove all on events `on` a website? – David Lopez Apr 08 '21 at 03:28