HTML and CSS Reference
In-Depth Information
Using the eval function
The eval function is used to run JavaScript dynamically. It takes a string as a parameter and
runs it as a JavaScript function. Never use the eval function against any data provided by an
external source over which you don't have 100 percent control.
Using iFrames
iFrames open up a new opportunity to attackers. Search engines provide a plethora of results
dealing with exploits regarding the use of iFrames. The sandbox attribute should always
be used to restrict what data can be placed into an iFrame. The sandbox attribute has four
possible values, as listed in Table 3-2.
TABLE 3-2 Available sandbox attribute values
An empty string applies all restrictions. This is the most secure.
iFrame content is treated as being from the same origin as the containing
HTML document.
iFrame content can load content from the containing HTML document.
iFrame can submit forms.
iFrame can run script.
Thought experiment
Encoding input data
In this thought experiment, apply what you've learned about this objective. You can
find answers to these questions in the “Answers” section at the end of this chapter.
The primary way in which malicious users seek out vulnerabilities in your webpages
is through the use of code injections. These are used to find weaknesses in the code
where malicious users could trick legitimate users into redirecting to a malicious
site or—worse—steal private data. What additional strategies can you design into
your webpages to help prevent these types of attacks?
Objective summary
Regular expressions are strings of special characters that an interpreter understands
and uses to validate text format.
Regular expressions are objects in JavaScript that provide methods for testing input
Search WWH ::

Custom Search