I just need to know if its possible and how. I had an incident once on a message board I frequented where someone's signature displayed info about my PC and internet connection to me rather than an actual artsy-fartsy signature. I'm not new to this, I saw that type of thing appear roughly a decade ago but circumstances regarding this person's actions are worrisome. I'm talking about what* else* did that particular signature execute? Did that sig send info back to that person's computer about my computer? I know this sounds paranoid...
Curious Gorge 21 Junior Poster in Training
AleMonteiro 238 Can I pick my title?
Yes, it's possible. If not handled properly many input text accept the <script> tag.
Then that JS is saved on the DB and when the signature is displayed the javascript could be executed also(again, if not properly handled by the developer).
This is called XSS (Cross Site Scripting).
A simple example:
<div>
<h2>My Signature Yeah!</h2>
<script type="text/javascript">
alert('My script was saved on the DB and now it'll be executed every time my signature is displayed');
</script>
</div>
Curious Gorge 21 Junior Poster in Training
What are the limitations of this? I mean in the example I provided about a persons signature displaying computer and connection info, could it have recorded those particular details and sent them to that person if they had coded something like that?
One more question, and I promise its related: I know IP addresses change but do they always indicate your home address?
diafol
Imagine anything you can do with JS running on your page for everybody to see. Maybe even a redirect to a porn site :(
Curious Gorge 21 Junior Poster in Training
So there aren't any limits? What about my IP address question?
diafol
Unless you grant unfettered access to your IP data, then it's difficult to see how.
However, XSS attacks can change the content of the page, e.g. overwrite your internal links to an identical-looking scam site, they can pick up any cookies or session tokens for your site.
You seem to have a Type 1 / persistent / stored XSS.
The limits you speak of are probably down to your server-side vulnerabilities. Do not trust any user input or request without validation or sanitization.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.