Should eBay ban Flash & Javascript to stop XSS flaws?

By Chris Dawson September 24, 2014 - 6:52 am

JavascriptFollowing on from the BBC press about eBay XSS vulnerabilities and several hundred listings being identified as phishing directly from the eBay site, we thought we should poll the experts for some opinions.

eBay are caught between a rock and a hard place. On the one hand they could have a blanket ban on all active code such as Flash and Javascript in eBay listings. However if they do would it impact listings? We asked the guys that create more listings than anyone one – the listing designers. We spoke to several eBay specialist listing designers today who’s clients between them have millions of active listings.

How a ban on active code would impact your custom listing design

The designers tell us that Javascript is a requirement if you want to achieve certain dynamic functionality within a listing. For example many eBay designers will be using Javascript to generate a dynamic Shop Category menu within listings.

Many sellers are also calling for responsive listing templates that adapt to tablet and mobile screens – that too heavily relies on Javascript.

Another example of Javascript is to swap the multiple images and super-zoom for the multiple image displays we see on listings.

The designers told us that if eBay did ban Javascript, then yes it may affect these listings so far as functions such images wouldn’t zoom and the menus would not pop-out. On the whole however for many it would not cause the template as such to be non-functional, but only certain advanced features may not work. It would not have an effect that listings would vanish or lose the graphic design component, they would just lose their dynamic components.

Is HTML5 the answer?

HTML5 FeatThe designers tell us that HTML5 is not yet 100% compatible on eBay and even if it was, it would not allow for some of the functionality that you see available in descriptions or shops today. Plus of course HTML5 relies on the user having a bang up to date browser or it simply won’t be supported.

You might think it’s a great way to force users to update their browser, but go to and you’ll find your (hopefully) up to date browser doesn’t fully support HTML5 yet. As for older devices in which we must include internet enabled TVs, Game Consoles and a plethora of smartphones and tablets which can’t be upgraded to the latest versions and you can see it’s a bit of a problem.

In favour of keeping Flash and Javascript

Green TickFor today’s web we could probably live without Flash, but Javascript is so prevalent that hardly a website out there doesn’t still use it and literally millions of eBay listings rely on it for functionality. Plus of course if eBay was to ban the code, which seller wants to pay the cost of having their listing templates redesigned to HTML5 standards?

Perhaps a solution may be a ban on all active code except that specifically tested and approved by eBay. If they could work with the listing design companies their code could be approved, but of course there are hundreds of smaller companies who’s code could be banned, not to mention the sellers who code their own listings.

In favour of banning Flash and Javascript

Red CrossWell the BBC of course are in favour of a ban and it would be fair to assume it’s tempting for eBay themselves as banning the code would put an end to the XSS vulnerabilities and the bad press.

eBay do . They say “If you try to use scripts that we disable, you’ll get an error message that says “Disallowed JavaScript/HTML Syntax”. This means you can’t list the item, or the script will be disabled at run-time”. Obviously it’s not working, hackers are ever more ingenious in finding holes and hitherto unknown bugs/undocumented features which enable them to bypass eBay’s attempts to stop them.

Should eBay ban Flash & Javascript

As with anything on the net it’s a race between the hackers and the good guys, but what do you think? Should eBay simply ban all Flash and Javascript (hopefully not before Christmas – no seller has time to redo their listings at this time of year!), or should eBay continue to allow the code and refine their screening process in the knowledge that inevitably a handful of malicious listings will surface from time to time?

  • JD
    3 years ago

    I don’t much care what eBay do with flash and javascript (most of which is inserted on the site by eBay themselves to create ‘the experience’).

    But what they must do is:
    1) restore and maintain a stable trading platform
    2) repair the damaged perception in the eyes of all users as to the security of their personal data.

    There would appear to be an ongoing credibility gap.

  • David Brackin
    3 years ago

    The call to ban these things is shrill and the kind of thing you’d expect from the Daily Mail.

    The numbers of compromised listings — the Defect Rate, if you will — is tiny. We’re talking a few hundred listings out of millions.

    It’s about the same rate as the amount of fraud on Paypal. Are we suggesting Paypal should be banned from eBay listings? It’s about the same rate as fake tenners. Are we suggesting they should be taken out of circulation?

    Just because there are a few bad buildings you don’t tear down and entire city. eBay can police the listings with relative ease, and perhaps — just perhaps — users can grow-up a little and take their own personal responsibility for not entering their passwords into phishing sites.

  • jimbo
    3 years ago

    “Many sellers are also calling for responsive listing templates that adapt to tablet and mobile screens – that too heavily relies on Javascript.” It shouldn’t. Should just be HTML/CSS to do the responsive part.

  • Damien
    3 years ago

    Anyone who still uses Flash and javascript in this day an age needs to take a modern day basic web design lesson. Buyers are not impressed with your overly garish listing pages with web counters, OTT info and dynamic menus. This isn’t Geocities, you are supposed to be presenting yourself as a professional business.

    Doesn’t matter about the defect rate, end of the day it’s not a complicated attack and eBay are currently allowing the phishing of username and passwords direct on their own website and it has been going on since February at the earliest.

    Do these shop owners realise that a growing number of people shop primarily from their phones and tablets. I.e. no Flash and basic Javascript functionality, you really should be learning or employing designers that know HTML 5 and other modern standards.

    • 3 years ago

      Javascript is still an important part of modern web design, but I agree it is not necessary in ebay listings and most of the time results in hideous product descriptions. All required functionality for a product description can be done through simple HTML/CSS.

    • Damien
      3 years ago

      Just describe the product, that’s all you need to do along with some basic design to make it look a little more professional and easier to read.

      My comments on Java are a bit off, but yeah there really is no need for it on eBay. Most people have browsers that can handle most HTML 5 functionality

  • John
    3 years ago

    The BBC and the lefties in society annoy me – they have nothing better to write about. There is nothing wrong with ebay, its more about people who are so brain dead they give their passwords away or click on fishing links – they deserve to get their accounts hacked

    • jimbo
      3 years ago

      What has this got to do with “lefties” ?

    • Damien
      3 years ago

      Nothing wrong with eBay; think that joke won the best joke of the Fringe award.

      Also people stupid enough to click on the links? What links. It’s a complete redirection to a perfect copy of the eBay log in page by simply clicking on the item from the search function in eBay.

      Finally left wingers are usually the ones to decry over-policing 😉

    • radroach
      3 years ago

      “The BBC and the lefties in society annoy me – they have nothing better to write about”

      Yet according to another poster on the thread:

      “The call to ban these things is shrill and the kind of thing you’d expect from the Daily Mail.”

      Covers a wide political spectrum it would seem

    • Damien
      3 years ago

      Just waiting on the inevitable comparison to Nazi Germany

  • vince
    3 years ago

    As a professional software engineer, I have found that the over use of JavaScript and flash annoying and can often breach the security of the client system, it is NOT essential, ans it is also bad manners not to accommodate users that neither want or are unable to run browsers with add ons. Today I have tried many different sites to make a purchase, abandoning each when the page was unusable, I finally made my purchase on one that was client friendly. So who are the losers here? Neither flash or js are essential, just used by lazy or unskilled web designers.

  • ManicMonkey
    3 years ago

    Ebay already block lots of Javascript – for example you cannot directly include external Javascript files.

    The problem is that eBay allows obfuscated code, which people like Frooition use to include external files even though it’s not allowed. eBay’s system is either too basic to detect these exploits or we have to assume they condone it because they have allowed companies to do it for years.

    Look at the source of a Frootion template, like the Laura Ashley shop, and see the techniques they use to include external files. Stuff like this:

    var az = “SC”;
    var bz = “RI”;
    var cz = “PT”;

    Then they concatenate them to output “SCRIPT”.

    They use multiple script tags with partial Javascript in them, again breaking eBay’s detection system.

    Once you start allowing exploits then it becomes a nightmare to manage – eBay could make a change to their code which breaks millions of listings. Also it becomes harder, although by no means impossible, to detect malicious code.

Recent Comments

16 hours ago
Anthony: " just jacked up the price for Amazon Prime membership by [18%] per month ......
24 hours ago
Northumbrian: Eh? Refund !! thats a result in its self...
2 days ago
SAM: Ahhh Game.... down a lot for us this year, but we have kept it going...
2 days ago
SAM: Yeah we will see what happens after that TOTAL disaster they had at Christmas. Down...