I have a text area in my web where user can add java script code. I need to check if this code contains any malicious code or not. What are the options at
- Client end
- Server end
Or where can I find a good material for checking for malicious code.
Asked
Active
Viewed 88 times
0
-
Trust the user, or don't let them upload their own code. Then, don't let one use "give" code to another; that's where XSS comes in. – user2864740 Jul 28 '14 at 23:42
-
How would you know that it was malicious? lol – epascarello Jul 29 '14 at 00:33
-
That the whole point of the question... Someone would have already done some research on this (malicious java script) area.. and may be having some useful conclusion or guidelines. – Aug 15 '14 at 22:30
1 Answers
1
There is a reason that webmail sites (e.g. gmail) strip all Javascript when rendering HTML messages, and that is because it is simply far too difficult (if not impossible) to verify if any code is malicious (especially when executed in the context as coming from your domain, and thus opening a host of XSS issues).
If you really need Javascript support you can maybe whitelist a handful of supported functions while stripping everything else, but even this route is fraught with peril.
If security is important, you should strongly consider if Javascript is really necessary or not. A workaround may be to provide your own interpreted language or set of functions that you translate to Javascript for the user when the HTML is created (to me, this is the only safe option).
Trevor Freeman
- 7,112
- 2
- 21
- 40