1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Test JS secure</title>
<!-- <script type="text/javascript" src="secure_0.js"></script> -->
<!-- <script type="text/javascript" src="jquery.js"></script> -->
<!-- <script type="text/javascript" src="myOwnFunctions.js"></script> -->
<!-- <script type="text/javascript" src="secure_1.js"></script> -->
<script type="text/javascript">
// SAMPLES SECURE #0 : secure_0.js
var secure = {s:"var w=['alert','back','blur','captureEvents','clearInterval','clearTimeout','close','confirm','disableExternalCapture','enableExternalCapture','find','focus','forward','handleEvent','home','moveBy','moveTo','open','print','prompt','releaseEvents','resizeBy','resizeTo','routeEvent','scroll','scrollBy','scrollTo','setInterval','setTimeout','stop','toSource','toString','unwatch','valueOf','watch'];for(var i in w) if(window[w[i]]!=undefined) eval('var '+w[i]+' = window[w[i]];');var document_getElementById = document.getElementById, d = {}; d.getElementById = function(){var r = document_getElementById.apply(document,arguments);return r;};",u:(function(){var alert=window.alert; return function(){return function(){if(typeof(window.wpaCommon)!="undefined" && wpaCommon.onPageLoaded==arguments.callee.caller)return;alert("[Security] You can't do it !");}; };})(),f:function(){var alert=window.alert; window.alert = this.u(); document.getElementById = this.u();}};
// SAMPLES OF JS FILE #1 : jquery.js
(function(){eval(secure.s);
// ----------
// past all jQuery code here
// ----------
})();
// SAMPLES OF JS FILE #2 : myOwnFunctions.js
(function(){eval(secure.s);
// sample to use secure functions
window.onload = function(){
d.getElementById("tt").onclick=function(){alert("d.getElementById('tt') : "+d.getElementById("tt"));this.innerHTML+="<br/>tayooooo";};
};
})();
// SAMPLES SECURE #1 : secure_1.js
secure.f();
</script>
</head>
<body>
try to alert my span with id "tt", write in address url : <br/>
<a href=javascript:alert(1);>javascript:alert(1);</a> // secure <br/>
<a href=javascript:document.getElementById('tt'); >javascript:document.getElementById('tt');</a> // secure<br/>
then <span id='tt'><b>CLICK HERE</b></span> and you'll see as the "alert" AND the "getElementById" are still working ... only protected from you^^
</body>
</html> |
Partager