Should eBay ban Flash & Javascript to stop XSS flaws?

JavascriptFollowing on from the BBC press about eBay XSS vulnerabilities and several hundred listings being identified as phishing directly from the eBay site, we thought we should poll the experts for some opinions.

eBay are caught between a rock and a hard place. On the one hand they could have a blanket ban on all active code such as Flash and Javascript in eBay listings. However if they do would it impact listings? We asked the guys that create more listings than anyone one – the listing designers. We spoke to several eBay specialist listing designers today who’s clients between them have millions of active listings.

How a ban on active code would impact your custom listing design

The designers tell us that Javascript is a requirement if you want to achieve certain dynamic functionality within a listing. For example many eBay designers will be using Javascript to generate a dynamic Shop Category menu within listings.

Many sellers are also calling for responsive listing templates that adapt to tablet and mobile screens – that too heavily relies on Javascript.

Another example of Javascript is to swap the multiple images and super-zoom for the multiple image displays we see on listings.

The designers told us that if eBay did ban Javascript, then yes it may affect these listings so far as functions such images wouldn’t zoom and the menus would not pop-out. On the whole however for many it would not cause the template as such to be non-functional, but only certain advanced features may not work. It would not have an effect that listings would vanish or lose the graphic design component, they would just lose their dynamic components.

Is HTML5 the answer?

HTML5 FeatThe designers tell us that HTML5 is not yet 100% compatible on eBay and even if it was, it would not allow for some of the functionality that you see available in descriptions or shops today. Plus of course HTML5 relies on the user having a bang up to date browser or it simply won’t be supported.

You might think it’s a great way to force users to update their browser, but go to http://html5test.com/ and you’ll find your (hopefully) up to date browser doesn’t fully support HTML5 yet. As for older devices in which we must include internet enabled TVs, Game Consoles and a plethora of smartphones and tablets which can’t be upgraded to the latest versions and you can see it’s a bit of a problem.

In favour of keeping Flash and Javascript

Green TickFor today’s web we could probably live without Flash, but Javascript is so prevalent that hardly a website out there doesn’t still use it and literally millions of eBay listings rely on it for functionality. Plus of course if eBay was to ban the code, which seller wants to pay the cost of having their listing templates redesigned to HTML5 standards?

Perhaps a solution may be a ban on all active code except that specifically tested and approved by eBay. If they could work with the listing design companies their code could be approved, but of course there are hundreds of smaller companies who’s code could be banned, not to mention the sellers who code their own listings.

In favour of banning Flash and Javascript

Red CrossWell the BBC of course are in favour of a ban and it would be fair to assume it’s tempting for eBay themselves as banning the code would put an end to the XSS vulnerabilities and the bad press.

eBay do limit the use of potentially malicious code. They say “If you try to use scripts that we disable, you’ll get an error message that says “Disallowed JavaScript/HTML Syntax”. This means you can’t list the item, or the script will be disabled at run-time”. Obviously it’s not working, hackers are ever more ingenious in finding holes and hitherto unknown bugs/undocumented features which enable them to bypass eBay’s attempts to stop them.

Should eBay ban Flash & Javascript

As with anything on the net it’s a race between the hackers and the good guys, but what do you think? Should eBay simply ban all Flash and Javascript (hopefully not before Christmas – no seller has time to redo their listings at this time of year!), or should eBay continue to allow the code and refine their screening process in the knowledge that inevitably a handful of malicious listings will surface from time to time?