Scratch
archived forums
#1 2012-04-15 21:07:37
- GeonoTRON2000
- Scratcher
- Registered: 2009-12-24
- Posts: 1000+
XSS Shield for Scratch
XSS Shield is basically a UserScript which disables javascript insertions that may have happened. For example, if you turned on html, then something this would prevent would be:
ShadyGuy wrote:
[htmladd]<button onload="while (true) {window.alert('SomeShadyTextHere');}">Click here for awesomeness</button>[/htmladd]
But XSS can come in many shapes and sizes. It might even come as a like button.
ShadyGuy wrote:
Something really helpful here.
[likebtn]http://scratch.mit.edu/forums/viewtopic.php?tid=1234" onmousedown="while (true) {window.alert('Haha! Gotcha! Some more shady text here.')}[/likebtn]
[likecount]http://scratch.mit.edu/viewtopic.php?tid=1234[/likecount]
There are two versions:
Lite Version
Disables load, unload, and mouse events on flagged elements (images and links.) Recommended if installing an insecure script.
Download Here: http://www.cfagency.org/xssshield_lite.user.js
Full Version
Disables all javascript events on all elements. Recommended if you are enabling HTML.
Download Here: http://www.cfagency.org/xssshield.user.js
Last edited by GeonoTRON2000 (2012-04-15 21:55:50)
Offline
#7 2012-04-16 10:06:16
- GeonoTRON2000
- Scratcher
- Registered: 2009-12-24
- Posts: 1000+
Re: XSS Shield for Scratch
zippynk wrote:
Well you could still do...
[ htmladd]
< /html>
[ /htmladd]
perhaps you should have it censor < /html> except for on the last line?
Good idea.
Offline
#8 2012-04-16 10:13:51
- scimonster
- Community Moderator
- Registered: 2010-06-13
- Posts: 1000+
Re: XSS Shield for Scratch
GeonoTRON2000 wrote:
zippynk wrote:
Well you could still do...
[ htmladd]
< /html>
[ /htmladd]
perhaps you should have it censor < /html> except for on the last line?Good idea.
[htmladd]
</body>
[/htmladd]
The amount of things people can do is enormous.
Moderator | Scratch Wiki Administrator | Coders' Shed AdministratorScratch 2.0 is just around the corner! Prepare for the transition by beta testing. Your feedback will help make it the best it can be!
Offline
#9 2012-04-16 10:15:40
- veggieman001
- Scratcher
- Registered: 2010-02-20
- Posts: 1000+
Re: XSS Shield for Scratch
[htmladd]
<div style="display:none;">
[/htmladd]
Posts: 20000 - Show all posts
Offline
#10 2012-04-16 10:25:10
- GeonoTRON2000
- Scratcher
- Registered: 2009-12-24
- Posts: 1000+
Re: XSS Shield for Scratch
Ok, I added the censoring to the script, it may not work, though... It's a little feeble. It's only in the full version.
Last edited by GeonoTRON2000 (2012-04-16 10:27:41)
Offline
#11 2012-04-16 10:31:06
- GeonoTRON2000
- Scratcher
- Registered: 2009-12-24
- Posts: 1000+
Re: XSS Shield for Scratch
veggieman001 wrote:
[htmladd]
<div style="display:none;">
[/htmladd]
Lol... that does nothing but hide itself. I tried it.
Offline
#12 2012-04-16 18:46:32
- GeonoTRON2000
- Scratcher
- Registered: 2009-12-24
- Posts: 1000+
Re: XSS Shield for Scratch
GeonoTRON2000 wrote:
Ok, I added the censoring to the script, it may not work, though... It's a little feeble. It's only in the full version.
I need a way to get and set the whole document's html (including the html tags.)
Right now I have in mind for getting, and XMLHttpRequest to self, and for setting, document.write. Any suggestions?
Offline
#13 2012-04-16 23:24:17
- GeonoTRON2000
- Scratcher
- Registered: 2009-12-24
- Posts: 1000+
Re: XSS Shield for Scratch
I found how for getting. For setting, I'll use document.write.
Offline
#14 2012-04-16 23:43:54
- GeonoTRON2000
- Scratcher
- Registered: 2009-12-24
- Posts: 1000+
Re: XSS Shield for Scratch
GeonoTRON2000 wrote:
I found how for getting. For setting, I'll use document.write.
Aw, forget it. Removing these does more harm than good. When you turn on HTML, you expect the forum to become a website. Enjoy the lack of disguised rick-roll links and endless strings of alert boxes.
Offline
#15 2012-04-18 19:13:42
- GeonoTRON2000
- Scratcher
- Registered: 2009-12-24
- Posts: 1000+
Re: XSS Shield for Scratch
GeonoTRON2000 wrote:
GeonoTRON2000 wrote:
I found how for getting. For setting, I'll use document.write.
Aw, forget it. Removing these does more harm than good. When you turn on HTML, you expect the forum to become a website. Enjoy the lack of disguised rick-roll links and endless strings of alert boxes.
And to go along with rick rolls, we have the Rick Roller!!!!
Offline