Archivebox: Architecture: Strip all Javascript from static html archives by default

Created on 9 May 2019  路  1Comment  路  Source: ArchiveBox/ArchiveBox

Type

  • [ ] General Question or Disussion
  • [x] Propose a brand new feature
  • [ ] Request modification of existing behavior or design

What is the problem that your feature request solves

Some websites use javascript to redirect any saved pages to the original site, thereby beaking archiving of pages on the site in question.

Describe the ideal specific solution you'd want, and whether it fits into any broader scope of changes

Ideally, the option to scan the javascript in each downloaded file to prevent setting window.location in any form.

Since JS can be obfuscated in all sorts of forms, perphaps an option to simply strip out javascript from downloaded files could also be useful slash more reasonable to implement.

What hacks or alternative solutions have you tried to solve the problem?

Currently, the only real solution is to open up the offending HTML files myself and remove the javascript causing the redirects from the \

>All comments

Yeah we're definitely adding this soon, it's a huge security issue currently to allow archived pages to run JS in a shared context, especially when opened via the filesystem.

I've officially made this a blocker to v0.4 due to the urgency: https://github.com/pirate/ArchiveBox/pull/207#issuecomment-494107553 but I cant promise I'll get around to it soon. In the meantime I'm adding notices to the README and wikis telling people not to use it for private content and to beware of potential JS execution reading from the filesystem / XSS-ing the archive.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

onlyjob picture onlyjob  路  4Comments

MartinThoma picture MartinThoma  路  4Comments

poblabs picture poblabs  路  5Comments

arnauldb picture arnauldb  路  4Comments

s7x picture s7x  路  5Comments