Some of you might ask now: Why would this be a security leak?
Well, have a look at my
userpage. You can see a small gif with text around it that says
Klicke hier für Hilfe.
Can you see it? Cool, I can see you too, because this is Javascript and it allows me to see your IP-address, the time you have spent looking at that particular page, the browser, version of the browser, platform, and the referrer. If you click on the picture, a chat window opens up, but if I would try to be really funny I could open up a chat-window as well from my side.
So, the security leak is:
- By allowing anything with the src-attribute you open up a security hole.
- Almost everything that is possible with Javascript can be done with your website. This includes:
- A violation of the privacy of your website's members
- Unwanted windows might open up
- Someone could claim with my example script to be part of the staff of the website and ask for a password or do any other harm to the visitors of your site
So please don't allow all html-tags. :)
Greetings from the sunny Germany!
Sascha
P.S.: Please don't delete my account here, I will take off my javascript-signature after a few days so that everyone has had enough time to test this - I promise I won't do any harm to your websites visitors nor will I monitor them! :)
581