Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

Anti Click Jacking

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General
View previous topic :: View next topic  
Author Message
jaze22
Smarty Rookie


Joined: 06 Jan 2010
Posts: 6

PostPosted: Thu Jun 07, 2018 3:06 pm    Post subject: Anti Click Jacking Reply with quote

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

How come this breaks the smarty template from working:

Best-for-now Legacy Browser Frame Breaking Script
One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header.

In the document HEAD element, add the following:

First apply an ID to the style element itself:
Code:
<style id="antiClickjack">body{display:none !important;}</style>


And then delete that style by its ID immediately after in the script:


Code:
<script type="text/javascript">
{literal}
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
{/literal}
</script>
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Thu Jun 07, 2018 3:24 pm    Post subject: Reply with quote

Can you please explain the purpose of your post?
Everything you've posted exists in the documentation in a much cleaner and readable form.
Back to top
View user's profile Send private message
jaze22
Smarty Rookie


Joined: 06 Jan 2010
Posts: 6

PostPosted: Thu Jun 07, 2018 7:29 pm    Post subject: Reply with quote

My question is, if I place that code in a static web page for example page.html it works.

If I put that code in a smarty.tpl file, it breaks smarty template, you just see a blank page.
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Thu Jun 07, 2018 10:29 pm    Post subject: Reply with quote

As I said, https://www.smarty.net/docs/en/language.escaping.tpl
Second paragraph, right after the note.
Back to top
View user's profile Send private message
bsmither
Smarty Elite


Joined: 20 Dec 2011
Posts: 322
Location: West Coast

PostPosted: Fri Jun 08, 2018 5:46 pm    Post subject: Reply with quote

In this statement:
Code:
<style id="antiClickjack">body{display:none !important;}</style>
you have unescaped braces.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP