Can scripts be hidden in css or image files

A

Andre

I'm writing a web-app which needs some javascript (my own) to be
executed locally.

This app can load local pages or remote ones; however I have a concern
about potentially malicious code in remote files. (it would be easy to
write javascript code that would make my web-app do nasty things :-(

For remote pages, I can strip embedded <script>...</script> as well as
<script src="..."/> before displaying it in the web app. However, I am
wondering if it's possible to "hide" other scripts either in css files
or image files that are loaded.

[What I do is "fetch" an html document and process it with my app, and
then feed it to my favorite browser (Firefox) which then loads the
relevant image files and css files (and, presently, other js files if
present) on its own.]

Any help or pointers would be appreciated.

André
 
D

David Dorward

Andre said:
For remote pages, I can strip embedded <script>...</script> as well as
<script src="..."/> before displaying it in the web app.
Click to expand...

Don't forget <... onmouseover="somescript()";>

or <img src="javascript:somescript()";>

and so on.
However, I am > wondering if it's possible to "hide" other scripts either
in css files
Click to expand...

Not by the standard, but IE and Firefox (at least) provide proprietary ways
to do so.
 
A

Andre

David said:
Don't forget <... onmouseover="somescript()";>

or <img src="javascript:somescript()";>

and so on.
Click to expand...

Would all such "action tags" always include a "()" , or more generally,
"(some variables here)". I could possibly restrict attributes to be
only:
class /* needed for styling */
id /* same */
title /* needed by my app */
src /* needed for images and style files */ [but strip those if their
"value" includes some parentheses]

Not by the standard, but IE and Firefox (at least) provide proprietary ways
to do so.
Click to expand...

Any pointers to the above mentioned proprietary way for Firefox? (at
this point, I've given up on IE).

 
D

David Dorward

Andre wrote:

Would all such "action tags" always include a "()" , or more generally,
"(some variables here)".
Click to expand...

No. Such data could be represented by entities. In the case of URLs I
suspect it could be URL encoded too. There may be other techniques.
Any pointers to the above mentioned proprietary way for Firefox? (at
this point, I've given up on IE).
Click to expand...

Sorry. Never used it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Bash scripts for web apps 1
CSS: How can I stop overflow on the y-axis? 2
Image upload not working in browser 4
I need help in understanding these files on my phone, Could someone help me understand these files? Urgent help needed. Please help. 3
Working on mobile css menu with plenty of frustration! 2
Should heavy binary files not be stored in database? 1
Sharing common code between multiple scripts? 0
How do I fix this issue in sqaurespace code block? 1

Members online

Total: 65 (members: 1, guests: 64)
Robots: 331

Forum statistics

Threads
473,995
Messages
2,570,228
Members
46,818
Latest member
SapanaCarpetStudio

Latest Threads

Top