HTML and CSS Reference
In-Depth Information
Using the
eval
function
The
eval
function is used to run JavaScript dynamically. It takes a string as a parameter and
runs it as a JavaScript function. Never use the
eval
function against any data provided by an
external source over which you don't have 100 percent control.
Using iFrames
iFrames open up a new opportunity to attackers. Search engines provide a plethora of results
dealing with exploits regarding the use of iFrames. The
sandbox
attribute should always
be used to restrict what data can be placed into an iFrame. The
sandbox
attribute has four
possible values, as listed in Table 3-2.
TABLE 3-2
Available sandbox attribute values
Value
Description
“”
An empty string applies all restrictions. This is the most secure.
iFrame content is treated as being from the same origin as the containing
HTML document.
allow-same-origin
iFrame content can load content from the containing HTML document.
allow-top-navigation
iFrame can submit forms.
allow-forms
iFrame can run script.
allow-scripts
Thought experiment
Encoding input data
In this thought experiment, apply what you've learned about this objective. You can
find answers to these questions in the “Answers” section at the end of this chapter.
The primary way in which malicious users seek out vulnerabilities in your webpages
is through the use of code injections. These are used to find weaknesses in the code
where malicious users could trick legitimate users into redirecting to a malicious
site or—worse—steal private data. What additional strategies can you design into
your webpages to help prevent these types of attacks?
■
Regular expressions are strings of special characters that an interpreter understands
and uses to validate text format.
■
Regular expressions are objects in JavaScript that provide methods for testing input
data.
Search WWH ::
Custom Search