tags:

views:

1135

answers:

6
+9  Q: 

Best Practice: Legitimate Cross-Site Scripting

While cross-site scripting is generally regarded as negative, I've run into several situations where it's necessary.

I was recently working within the confines of a very limiting content management system. I needed to include database code within the page, but the hosting server didn't have anything usable available. I set up a couple barebones scripts on my own server, originally thinking that I could use AJAX to import the contents of my scripts directly into the template of the CMS (thus retaining dynamic images, menu items, CSS, etc.). I was wrong.

Due to the limitations of XMLHttpRequest objects, it's not possible to grab content from a different domain. So I thought "iFrame" - even though I'm not a fan of frames, I thought that I could create a frame that matched the width and height of the content, so that it would appear native. Again, I was blocked by cross-site scripting "protections." While I could indeed load a remote file into the iFrame, I couldn't execute JavaScript to modify its size on either the host page or inside the loaded page.

In this particular scenario, I wasn't able to point a subdomain to my server. I also couldn't create a script on the CMS server that could proxy content from my server, so my last thought was to use a remote JavaScript.

A remote JavaScript works. It breaks when the user has JavaScript disabled, which is a downside; but it works. The "problem" I was having with using a remote JavaScript was that I had to use the JS function document.write() to output any content. Any output that isn't JS causes script errors. In addition to using document.write() for every line, you also have to ensure that the content is escaped - or else you end up with more script errors.

My solution was as follows:

My script received a GET parameter ("page") and then looked for the file ({$page}.php), and read the contents into a variable. However, I had to use awkward buffering techniques in order to actually execute the included scripts (for things like database interaction) then strip the final content of all line break characters ("\n") followed by escaping all required characters. The end result is that my original script (which outputs JavaScript) accesses seemingly "standard" scripts on my server and converts their standard output to JavaScript for displaying within the CMS template.

While this solution works, it seems like there may be a better way to accomplish the same thing. What is the best way to make cross-site scripting work specifically for the purpose of including content from a completely different domain?

+1  A: 

Personally, I would call to that other domain on the server and get and parse the data there for use in your page. That way you avoid any problems and you get the power of a server-side language/platform for getting and parsing the data.

Not sure if that would work for your specific scenario...hard to know even with your verbose description...

Jason Bunting  2008-09-09 19:12:55
+9  A: 

You've got three choices:

  1. Create a server side proxy script.

  2. Create a remote script to read in remote dynamic HTML. Use a library like jQuery to make this easier. You can use the load function to inject HTML where needed. EDIT What I originally meant for example # 2 was utilizing JSONP, which requires the server side script to recognize the "callback=?" param.

  3. Use a client side Flash proxy and setup a crossdomain.xml file on your server's web root.

jakemcgraw  2008-09-09 20:01:19
Would you please clarify #2? For the 'html' dataType, as in load(), jQuery uses XMLHttpRequest, which doesn't work cross-site. Also, load() strips out script tags.
system PAUSE  2009-04-30 22:51:50
Sorry, what I meant for #2 is using JSONP http://docs.jquery.com/Release:jQuery_1.2/Ajax#Cross-Domain_getJSON_.28using_JSONP.29
jakemcgraw  2009-05-01 16:19:23
A: 

I've come across that YDN server side proxy script before. It says it's built to work with Yahoo's Search APIs.

Will it work with any domain, if you simply trim the Yahoo API code out? Or do you need to replace it with the domain you want it to work with?

PetroleumJelliffe  2008-09-15 17:43:08
A: 

You could try easyXSS, by including very little code, you can pass data or method calls between documents of different domains. There are several examples at http://code.google.com/p/easyxss

Sean Kinsey  2009-07-05 21:32:53
A: 

script type="text/javascript" alert('XSS tends too be interesting.')

javascript  2009-12-18 22:06:45
A: 

iframe remote content can be accessed by local javascript.

The remote server just have to set the document.domain of the page.

Eg :

Site A contain an iframe with src='Site B/home.php'

home.php looks like this :

[php stuff]...[/php] [script type='text/javascript']document.domain='Site A'[/script]

plop  2010-05-10 12:27:27

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases