There is a web page that has a <textarea>.
You can type any text into that <textarea> and if you hit submit whatever you have typed get rendered on the screen. If you type <script>alert('hello')</script> and hit submit you would get that alert.
The web page doesn't store the typed text so your input could not get rendered on other clients (browsers of other users).
Does the described behavior introduce security risks for the web page owner or its users?
分享 Even if the form is never submitted to the server, there are still risks with doing this. The main risk that I see here is if the input field can be populated by an external site.
Consider a hacker's site can post to your form, and pre-fill it with arbitrary javascript code.
He could send any JS code he likes, so that could include code that loads other external resources. Anything....
It could completely overwrite your page design to mimic that of another site, for a phishing attack. (which means that when it's discovered your site is the one that gets blocked, and not his)
It could use your site as a launch pad for sending spam. (ditto for getting blocked, and you really don't want to end up on a spam blacklist)
It could leave your site apparently unchanged, but embed a malicious library that tracks the user or exploits a vulnerability on the browser. (hackers often go to great lengths to inject a JS include into a site; here you're giving them an open door for it)
The trouble with web security is that it is an extremely broad subject -- there are so many possible ways to get hacked and so many angles you need to cover. Ultimately the only way you can keep safe is by exercising best practices at all times; even when you don't see an immediate way for data to be expolited, you should still secure it because ultimately hackers rely on the exploits that we don't see.
分享
