Verify javascript code at server
Question
I have a text area in my web where user can add java script code. I need to check if this code contains any malicious code or not. What are the options at
- Client end
- Server end
Or where can I find a good material for checking for malicious code.
1 answers
solution1
1 2014-07-28 23:46:37
There is a reason that webmail sites (eg gmail) strip all Javascript when rendering HTML messages, and that is because it is simply far too difficult (if not impossible) to verify if any code is malicious (especially when executed in the context as coming from your domain, and thus opening a host of XSS issues).
If you really need Javascript support you can maybe whitelist a handful of supported functions while stripping everything else, but even this route is fraught with peril.
If security is important, you should strongly consider if Javascript is really necessary or not. A workaround may be to provide your own interpreted language or set of functions that you translate to Javascript for the user when the HTML is created (to me, this is the only safe option).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.