1

I'm using a API from Windows gadgets to launch URLs, but I know the destructive power about things like eval() and worst and more dangerous, the System.Shell.execute();

But after some research, I think theres no better way to launch URL on the default browser without execute(). Since URLs come from user input, how to prevent users to execute evil-code? My code is SAFE or it can be exploitable? prevent things like this cmd.exe /c REG QUERY HKCU etc launching cmd.exe with administrator privileges.

function openURL(url){

    var protocol=new Array();

    //Allowed protocols to execute
    protocol[0]='http://';
    protocol[1]='https://';
    protocol[2]='ftp://';
    protocol[3]='search-ms:query=';

    for(var i=0;i<protocol.length;i++){
        if(url.indexOf(protocol[i])==0){

            System.Shell.execute(url);
            break;
        }
    }
}
window.open(); //doesn't work (only open IE);

edit:

allowing this 2 protocols is unsafe file:/// and javascript: exemples that can be done:

file:///c:/windows/system32/ping.exe

javascript:void( window.open('http://file:///c:/windows/system32/ping.exe','','_blank') );

4

1 回答 1

0

您的使用听起来像是Google Caja的潜在候选人。这是一个尝试从第三方清理 JavaScript 以使其安全运行的项目。

于 2011-11-08T21:45:31.217 回答