javascript - Prevent inline JS execution -


i have situation loading external html wysiwyg editor on web page. external html trusted source, , includes ever between 2 specific <div> tags number of different pages.

my problem of pages contain inline javascript event handlers. when working in wysiwyg editor, events cause execution of js.

mostly doesn't other fill console errors saying ... not defined, , may is, , wouldn't problem. still, it's messy, , don't know if there isn't page somewhere might execute alert(...) extremely annoying. code trusted, detached intended context, produced undesirable results.

i want find way globally prevent execution, preferably without modifying inline script. attach =false; each handler, have check incoming elements, , regular expressions, degrade performance. also, have remove before submitting edited html server, seems major pain, , difficult flawlessly.

is there way prevent online code being executed within particular context?

depending on browser trying support, can checkout 'content security policy' headers. checkout http://caniuse.com/contentsecuritypolicy details on browser support.

if target browser in list, csp can looking for. disable event handlers default. block execution of code embedded within on page in addition blocking event handlers. need move js code, if present on html page separate js, specify filename in safe-list , load js there.

csp set http headers new specification can set using meta tags well. checkout https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#html-meta-element--experimental.

for webkit supported browsers(chrome/safari) restrict load external source. can add list of accepted sources list , explore works you.

for firefox, though there in specification, not think meta tag supported yet. https://developer.mozilla.org/en-us/docs/security/csp/introducing_content_security_policy.

so summarize, long can set headers web-server hosting web page (unless want chrome/safari support), , target browser supports csp, might give shot.


Comments

Post a Comment

Popular posts from this blog

assembly - 8086 TASM: Illegal Indexing Mode -

this question has answer here: illegal use of register in indirect addressing 1 answer i writing 8086 assembly program needs compile through tasm v3.1. running error can not seem fix. my data segment has following set purposes of keyboard input: parao label byte maxo db 5 acto db ? datao db 5 dup('$') what trying first character entered, first byte of datao: lea dx, datao mov bl, [dx] however, when attempt compile, error: **error** h5.asm(152) illegal indexing mode line 152 "mov bl, [dx]" any appreciated. if matters, running tasm through dosbox (my laptop running 64-bit win7) google hasn't come helpful answers. can post entirety of code if necessary. pretty sure reason can't use dx register pointer. try instead using [si], [di] or [bx]: lea bx, data0 mov al, [bx]
Read more

Java, LWJGL, OpenGL 1.1, decoding BufferedImage to Bytebuffer and binding to OpenGL across classes -

i've been attempting solve problem without luck. have 4 classes, main class, object class, sprite class , image loader class. i'm attempting load png using image loader , using method found here: http://www.java-gaming.org/topics/bufferedimage-to-lwjgl-texture/25516/msg/220280/view.html#msg220280 convert bytebuffer, , bind opengl. the image in it's own seperate resource folder. should being drawn this: ( http://i.imgur.com/j8gbu4c.png ) (32x32), i'm seeing white box has dimensions of image, not actual texture. if has idea of go fix i'd appreciate it. i'm new opengl , looking avoid using external library in order learn how actual code works. thanks. updated! to following, implemented suggestion provided vallentin, quad taking color of first pixel in image. i've attempted implementing image loader provided c.s here . i'm receiving error: javax.imageio.iioexception: error reading png image data @ com.sun.imageio.plugins.png.pngimagereader.r...
Read more

javascript - addthis share facebook and google+ url -

i attempting use addthis create simple url shares whichever current page user on when click share button. of right now, have twitter working. when user clicks, able see url populated in tweet box. when user clicks facebook or google+, url doesn't seem show in share box. <ul class="addthis_toolbox addthis_default_style "> <li><a class="addthis_button_facebook"><img src="/img/facebook-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_twitter"><img src="/img/twitter-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_google_plusone_share"><img src="/img/google-social.png" width="20" height="20" border="0" alt="s...
Read more