问题
I am trying to develop a back-end Ad Checking application in PHP. We have lots of places where ads can be shown and almost all of them has its unique requirements (they are shown inside games, that is why everyone is different in size, weight, format, etc.). Since this can cause lots of confusions on campaigns targeting different games (with the agencies sending us ads with the wrong formats), we need to check every ad to make sure it works as expected.
The application works fine if our clients send us the Ad File to check. But most of the time they send Adserver tags, so they can keep track of the results, and those tags generally are javascript and iframe tags.
The problem is how to securelly allow the insertion of javascript and iframe code, and render that to the page on the postback page (for visual checking), on all browsers, without risking XSS problems?
At the moment, I've managed to post the code and print to the postback page on all browsers, but Chrome, because of the security measures. But since I'm gonna have to tackle that issue anyway, how can I make it work on all browsers and still be sure the application is safe?
Thanks. Decio
回答1:
If you include 3rd party javascript code, you are always risking XSS. Let's say, you're testing the code from ad provider:
<script src="http://some3rdPartySite.com/script.js"></script>
- Script can be altered to be displayed and to cause different results on target domain and on all other pages. That is, you can see how it wants to be showed to you, but you can't be sure that it will be the same in some of your customer's games.
- Ad provider can change the script on it's server at any moment, possibly after your tests.
If you do not trust your ad vendors, I suggest to let them choose image + URL or iframe URL + dimensions. You can do "bad stuff" with Iframe too (like frame-busting thus redirecting from your customer page), but you still must obey cross-domain policy. This is not the case if you let javascript code to be executed.
You could also provide your own analytics for ad vendors to fill their needs.
Anyway, for testing javascript results you could use Selenium drivers with any browser: http://seleniumhq.org/. It let's you to load any page, execute javascript code and get results. In this way you could load your javascript code, search DOM for nodes and check their dimensions etc.
Also, you can look at sahi: http://sahi.co.in/w/
来源:https://stackoverflow.com/questions/9911887/securely-posting-and-then-printing-javascript-tags