Security/Inline Scripts and Styles: Difference between revisions

Security/Inline Scripts and Styles (view source)

Revision as of 11:23, 17 January 2014

1,497 bytes added , 17 January 2014

examples of inline code

Fbraun

Confirmed users

239

edits

@@ Line 14: / Line 14: @@
 Yes, we'll be documenting some of these as we come across them.
+=== Identifying and changing inline code patterns ===
+The general advise is that we want to have separate files for Stylesheets (CSS), JavaScript (JS) and HTML. This means that any trace of JS and CSS in HTML is to be removed and replaced with something in an exising JS or CSS file. If there is no existing CSS or JS file, a new one has to be created:
+There are five types of code that need changing
+'''JS in a script tag'''
+Example:
+ <script>
+  // JavaScript source code in here
+ </script>
+'''JS in an event handler'''
+There are numerous events to be checked, but luckily they can be easily found using a code editor's automated search function, as they all begin with "on", search for: ''" on"''
+Example:
+ <img src="image.jpg" onerror="alert('the image could not be found!')" />
+ <button onclick="buttonClicked();" />
+ <small class="easteregg" onmouseover="hiddenFunction();">...</small>
+'''JS in links'''
+This is about links that execute JavaScript, the most common pattern is an ''A'' tag with a ''javascript:'' pseudo-URL in the ''href'' attribute.
+ <a href="javascript:codeHere();">click me</a>
+'''CSS in a style tag'''
+Just a style tag with content:
+ <style>
+   h1 { color: green; }
+ </style>
+'''CSS in a style attribute'''
+This can happen in every tag, but is easily found by looking for '' style=''.
+Examples:
+ <a href="foo.html" style="text-decoration: none; color: pink;">click me</a>
+ <div style="position:aboslute; z-layer: -1; border: 1px solid blue; min-width: 250px"></div>