I have a text area in my web where user can add java script code. I need to check if this code contains any malicious code or not. What are the options at
- Client end
- Server end
Or where can I find a good material for checking for malicious code.
-
Trust the user, or don't let them upload their own code. Then, don't let one use "give" code to another; that's where XSS comes in.user2864740– user28647402014-07-28 23:42:10 +00:00Commented Jul 28, 2014 at 23:42
-
How would you know that it was malicious? lolepascarello– epascarello2014-07-29 00:33:34 +00:00Commented Jul 29, 2014 at 0:33
-
That the whole point of the question... Someone would have already done some research on this (malicious java script) area.. and may be having some useful conclusion or guidelines.user2780901– user27809012014-08-15 22:30:04 +00:00Commented Aug 15, 2014 at 22:30
Add a comment
|
1 Answer
There is a reason that webmail sites (e.g. gmail) strip all Javascript when rendering HTML messages, and that is because it is simply far too difficult (if not impossible) to verify if any code is malicious (especially when executed in the context as coming from your domain, and thus opening a host of XSS issues).
If you really need Javascript support you can maybe whitelist a handful of supported functions while stripping everything else, but even this route is fraught with peril.
If security is important, you should strongly consider if Javascript is really necessary or not. A workaround may be to provide your own interpreted language or set of functions that you translate to Javascript for the user when the HTML is created (to me, this is the only safe option).
Comments
