2

What is the risk of cross site scripting, if I embed javascript into a website? Quite simply, I am using a 'site builder', and they don't allow rotating images, but they allow you to embed code... So I thought I would do that. My site doesn't have a database or anything, the 'site builder' site may have... Is there a risk?

Improve this question

    3 Answers 3

    Reset to default
    2

    You embedding javascript probably won't be an issue, unless you somehow embed functionality that allows for cross site scripting (your javascript would need to accept some input from the client or and display it on the page - or other dynamic data, like something delivered to your app as part of an API call). Other than that, you are the one putting the javascript in there, so I would assume you have vetted it.

    I would be more concerned about the site building software that you are using. If you provide the name perhaps we could look for known vulnerabilities.

    If the site you are building either stores user input (in a database for instance) insecurly and then displays it again it could be vulnerable to XSS.

    Also if it reflects user input that could also be used for XSS. By reflect I mean it takes some user input and insecurely renders it to the screen immediately without storing it on the server side. On example would be if the following URL:

    http://mysite.com/account/[email protected]

    output:

    Thanks for confirming your account with the email: [email protected]!

    Improve this answer
    1
    • Thanks all for the feedback. The software is Hetzner's SiteBuilder. Unfortunately it is limited in it's functionality so one has to get creative :)
      – Tamara
      CommentedAug 23, 2013 at 13:18
    0

    Depending on what the script you are embedding does, there could be some risk but you're probably okay.

    XSS flaws generally appear in scenarios where your page pulls in untrusted content from a 3rd party. That can be GET or POST arguments, data from a database, HTTP headers, etc.

    In this case it sounds like you're pulling in a javascript snippet to your html page. Here are two things you should be concerned about:

    1. Do I trust this javascript itself? Take a look at the javascript and make sure it's not doing anything fishy.

    2. Is this javascript pulling in any external data or code? Try to understand if the javascript is sourcing in other javascript files or looking for external data from the browser or the user.

    If the answer to both of those questions is no, then you're probably good to go.

    Note: If you're pulling in the javascript with a src tag, you should think about where you want to host that file. If you source if off of a server you don't control, that file could change in the future and become malicious or unstable.

    Improve this answer
      0

      Cross site scripting (XSS) attacks work because the attacker embeds JavaScript in ordinary data, and have almost nothing to do with your use of JavaScript on your site. The cure for XSS is to sanitize your data before you store it, or before you display it. Never let the user put in something that can be immediately echoed.

      JavaScript on your site won't hurt or help with defending against XSS.

      Improve this answer

        You must log in to answer this question.

        Start asking to get answers

        Find the answer to your question by asking.

        Ask question

        Explore related questions

        See similar questions with these tags.