Providing extension to JED with JS configuration

9 views
Skip to first unread message

sig...@die-herzogs.com

unread,
Nov 10, 2021, 4:56:38 AM11/10/21
to Joomla! General Development
Hi guys!

I'm about to publish my first (free) extension to JED. It's a module that shows banners from com_banners as slideshow using https://kenwheeler.github.io/slick/.
I think it could be helpful to provide a demo for its configuration (in backend). The most critical part is a textarea that accepts JS code.

I thought of handling it this way:

Backend
Users can only insert Slick configuration parameters like
dots: false,
autoplay: true,
autoplaySpeed: 1000,
...

This textarea-content (field name: sliderJS) is "translated" to JS code in the tmpl/default.php file like this:
<script type="text/javascript"> var $jq = jQuery.noConflict(); $jq('.hrz-slider').not('.slick-initialized').slick({ <?=$params->get('sliderJS');?> }); </script>

Is there a potential security risk to my own server the demo is running on (so someone could enter "bad code" and harm my system) or is it safe enough to only "allow" the Slick configuration?  

Polyna-Maude R.-Summerside

unread,
Nov 10, 2021, 5:25:01 AM11/10/21
to joomla-de...@googlegroups.com

I'd suggest you take a look at OWASP guide relating to XSS, PHP and JS.

A quick answer would be : If you have a doubt then yes there's a risk because you haven't did enough testing / understand the underlying process so you could convince yourself it's safe.

Not to be rude but if your last line of defense against XSS is having your code validated by a mailing list then maybe you should go to a safer way...

You could also run ZAP thru your test server and see what comes back.

Here's some link

OWASP Cheatsheet

https://owasp.org/www-project-cheat-sheets/

OWASP Application Security Verification Standard (XSS/SQL Injection/Remote code execution, etc)

https://owasp.org/www-project-application-security-verification-standard/

OWASP Web Security Testing Guide

https://owasp.org/www-project-web-security-testing-guide/

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/joomla-dev-general/ed0ba1e1-1816-4945-8357-30f812d8de6cn%40googlegroups.com.
--
Polyna-Maude R.-Summerside
https://www.polynamaude.com/

-Be smart, Be wise, Support opensource development

Mise en garde concernant la confidentialité

La présente communication est confidentielle et transmise sous le sceau du
secret professionnel. Si vous n’êtes pas le destinataire visé ou son
mandataire chargé de lui transmettre cette communication, vous êtes par
les présentes avisées qu’il est expressément interdit d’en dévoiler la
teneur, de la copier, de la distribuer ou de prendre quelques mesures
fondées sur l’information qu’il y est contenu. Si vous aviez reçu cette
communication, par erreur, veuillez nous en aviser immédiatement par
téléphone (frais virés) et nous retourner l’original sans tirer ni garder
de copie, soit par la poste à l’adresse ci-haut mentionnée.

Confidentiality Notice

The information in this transmission may contain
privileged and confidential information and is intended only for the use
of the person or corporate entity to which it is addressed. The
confidential nature of this communication remains regardless of whether or
not you are an intended recipient. If you are not an intended recipient,
please notify the sender immediately and destroy this message and all
attachments, without making a copy. Any distribution or reproduction of
this message is prohibited. We assume no liability for the interception of
any Internet communication or the transmission of computer viruses.

CP 99900 FJ 782 595
SUCC ST- DOMINIQUE
MONTRÉAL QC H2S 0E3
OpenPGP_signature
Reply all
Reply to author
Forward
0 new messages