5
baewulf
6y

Yesterday while learning some basic php stuff, prof was telling us about text fields and how php auto converts HTML and JavaScript.

He said to test it out before class, he wrote a lil JS script and submitted it to a text field using IE and then again using Chrome.

IE let the script run no problems (big surprise) but chrome blocked the script from running.

He doesn’t use Firefox, but I just recently switched from chrome to FF so I tested it out in class on FF.

I was surprised to see FF ran the script no problem. Surprised because I made the switch because of security reasons, my partner helped me secure all my shit and we both switched to FF cause every resource suggested it.

This is just one small case that I feel isn’t a huge deal, my prof said any decent dev will strip tags or whatever, but made me think: are there any other security concerns with FF? Am I right to consider it a more secure and therefore “better” browser?

Comments
  • 1
    📍
  • 1
    That actually should be normal behaviour no? It’s up to the back-end to sanitize input?
  • 3
    Chrome has the XSS Auditor which blocks JS which is contained in the request. This of course completely useless:

    - when the js is saved in a db for example to save a post

    - when the js isn't actually inserted in the page but rather just a legitimate snippet took from the page for example:

    actual code:
    showSomeWarningAboutUser()

    request:
    GET /websits?someirrelevantparam=showSomeWarningAboutUser()

    this will result in the warning not being shown, which potentially can be dangerous.

    - lastly the XSS-Auditor is used as an excuse not to properly implement tag stripping, etc.

    liveoverflow did a great video on this.
  • 0
    Whoever is trying to post js to a form should bypass this with their hands on their back...
Add Comment