[thelist] capturing text from a field

Ray Hill lists at prydain.com
Thu Feb 8 22:22:31 CST 2001 

> could a submit button take you one place (say after you
> typed in your username and password) but also in the same
> motion while calling up the onSubmit javascript function,
> send the information in the 2 fields to my email through
> formmail or something to that effect?

Hmmm...  In theory, you could have an onsubmit action call a funciton that gets the values of all the fields in the form, uses them to assemble a URL, passing the values in that URl, and then open a new window to that location.  The script you call in the new window could them send the email and close itself.  But this would be overkill in a big way.

The easier way to do it is just have the action of the form point to an intermediate script.  The intermediate script would accept the form values, send the email, then redirect itself to the actual target, passing along the form values at the same time.  That way, you don't have to worry about people who don't have JavaScript turned on, and the user doesn't see a new window pop up and then close itself.



> preliminarily i think this may be the beginning of a
> huge security reach on some websites.

Well, sort of.  But it's nothing new, and can only be effective in rare circumstances.  Since the command to trigger either of these methods has to be in the <form> tag, it can only be implemented by the person writing the HTML for that form, which is usually the one who *doesn't* want anythign bad to happen to the data.

The trouble comes when you allow your users to enter in their own HTML code, and they are able to trick people into thinking that their form is yours.  I'll give you an example.

Several months ago, a friend of mine got the same idea you had.  He decided to test his theory on ebay, so see if they were as succeptible to this kind of trickery as he thought they were.  So he posted an item for sale that could have been seen as being "for mature audiences," but wasn't.  In the HTML description of the auction, he mimiced the form that ebay used to put on their adule auctions (to verify that you were old enough to view it), but had the action of the form point to a script on his server.


When an eBay bidder came to his auction, they woudl recognize the UI, enter their username and passowrd, then hit submit.  That would send the username/password to his script, which wrote it to a text file (could just as easily have emailed it), and then redirected the user to the eBay page they wer expecting to go to.  So the user never noticed that anything was wrong, and he had their username/password.

After confirming that this worked, he sent his findings to the eBay folks, and they had the hole patched up within a week, I believe.


So, yes, it is a potential security risk.  But it only comes into effect when you let users enter their own HTML code that gets plugged into your UI.  And if you're handling that, you can parse the HTML they enter to make sure they don't do anything malevolant.


--ray

More information about the thelist mailing list