canmove, Confirmed users
1,537
edits
Security/CSP/Deploying: Difference between revisions
Jump to navigation
Jump to search
→Event handling attributes in HTML tags
| Line 50: | Line 50: | ||
=== <b>Event handling attributes in HTML tags</b> === | === <b>Event handling attributes in HTML tags</b> === | ||
; The Problem : There are many HTML [http://www.w3.org/TR/html5/browsers.html#event-handler-attributes-0 event handling attributes] (on*) that can contain strings to be evaluated as script. | ; The Problem : There are many HTML [http://www.w3.org/TR/html5/browsers.html#event-handler-attributes-0 event handling attributes] (on*) that can contain strings to be evaluated as script. These values can be injected if there's a content injection flaw on a site (either reflected or persistent). As a result, they must be disabled and event handling attributes must be added through scripts served in whitelisted files. | ||
; General Solution : | ; General Solution : Equivalent event handling attributes should be added in an external script file (either new or added onto an existing one). | ||
; Conversion Steps: | |||
; Conversion Steps: For each DOM element ''X'' with an event handling attribute, <tt>onevent='code'</tt>, script must be added to an external script file with the following form: | |||
var elt = document.getElementById('X'); | |||
var handler = function () { code }; | |||
if(elt.addEventListener) | |||
elt.addEventListener('event', handler, false); // Gecko | |||
else | |||
elt.attachEvent('event', handler); // IE | |||
== Removing "eval()"-like features == | == Removing "eval()"-like features == | ||