$(document).ready(function(){
$.ajax({
url: "test.html",
cache: false,
success: function(html){
do_something(html) }
});
});
function do_something(html){
$("#results").append(html);
}
it's from the jquery docs so that is also unsecure, because i could
manipulate the html var an fill some <script></script> in it???
On 29 Jan., 18:30, Trend-King <i...@trend-king.de> wrote:
> i think so, who could manipulate that JSON string with <script></
> script> in it?
>
> and it is exactly the same if i don't use JSON if somewhere in the
> javascript is something like $("box_test").html(var_goes_here); some
> one can manipulate the var_goes_here? and write here <script>alert
> (document.cookie)</script> or something like this???
>
> i'am a little confused is javascript that kind of unsecure?
>
> thanks for your replies Jens
>
> On 29 Jan., 18:17, Trend-King <i...@trend-king.de> wrote:
>
>
>
> > ok, but why is it not JSON to submit a sting variable in json within
> > HTML?
> > for example making a call to a php script which returns an array of
> > strings in HTML for which i could update the DOM
>
> > for example {"items":{"box_test":"Some HTML here","box_test2":"Some
> > HTML there"}}
>
> > and then do something like
>
> > $(response.items).each(function(id,data){
> > $(id).html(data);
>
> > });
>
> > in the success function of the ajax call
>
> > is that unsecure?
>
> > and if the "Some HTML will be <script></script>" how unsecure is it?
>
> > Thanks for your replies Jens
>
> > On 29 Jan., 17:52, Eric Garside <gars...@gmail.com> wrote:
>
> > > Honestly, there's not a whole bunch you could do with JSON that's
> > > insecure. The entire meaning of JSON is Javascript Object Notation.
> > > All it means is, if you were to type a string of json out within a
> > > script tag, it would be a Javascript object.
>
> > > var json = {success: true, name: 'Some Customer', quantity: 8};
>
> > > If you received this via an AJAX call and force processing as JSON
> > > (i.e. using $.getJSON or $.post('url.php', function(data){},
> > > 'json');), then it can basically be trusted to come out only as JSON.
>
> > > That being said, it sounds like you're doing something which is not
> > > JSON, but rather JavaScript being transfered over AJAX.
>
> > > When you said:
>
> > > >ok and thats safe for things like a sting $("#cart_info").fadeIn
> > > > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> > > > getted from JSON?
>
> > > You are describing the perfect example of how not to use JSON. If you
> > > allow for this kind of processing to occur in a json string, you open
> > > a pretty huge security door, and anyone who can get malicious JS into
> > > your page can do anything from making your page appear blank,
> > > redirecting to a phising page, or simply just start opening popups
> > > with a bunch of porn.
>
> > > The simplest way to do it is to limit returns, and properly process
> > > your javascript. Ideally, you'd so something like:
>
> > > $.get('url.php', function(data){
> > > if (data.success) fadeCart(500);
>
> > > }, 'json');
>
> > > function fadeCart(){
> > > var cart = $('#cart_info').fadeIn(500);
> > > setTimeout(function(){cart.fadeOut(500);}, 2000);
>
> > > }
>
> > > On Jan 29, 11:38 am, Stephan Veigl <stephan.ve...@gmail.com> wrote:
>
> > > > If you are trying to send JavaScript via AJAX that's not JSON. JSON is
> > > > about data only (see:http://json.org/), and that's exactly what makes
> > > > secureEvalJSON() secure. This function checks that there is nothing
> > > > else in your JSON except data, especially no JavaScript commands.
> > > > QUOTE: "secureEvalJSON: Converts from JSON to Javascript, but does so
> > > > while checking to see if the source is actually JSON, and not with
> > > > other Javascript statements thrown in."
>
> > > > If your question is: How secure is it to transfer JavaScript via AJAX?
> > > > Then the answer depends on how secure is your channel, how confident
> > > > are you that the data are really from the expected source and how much
> > > > do you trust your source.
>
> > > > For the first shot I would say, that it is insecure by default.
> > > > However it depends on your application. Most web pages are loaded over
> > > > an insecure channel and from an unidentified source, and we live quite
> > > > well with it - as long as it's not my net banking page or an online
> > > > shop.
> > > > But from your example, I guess you are talking exactly about an online
> > > > shop - than you could use https, this would eliminate the network
> > > > questions, at least.
>
> > > > by(e)
> > > > Stephan
>
> > > > 2009/1/29 Trend-King <i...@trend-king.de>:
>
> > > > > ok thats right but $.ajax() also do that so my problem is how safe it
> > > > > is to pass <script></script> through JSON and the append it to the DOM
> > > > > and it will be executed
>
> > > > > On 29 Jan., 15:13, jQuery Lover <ilovejqu...@gmail.com> wrote:
> > > > >> Reading the plugin homepage it does not. It only encodes and decodes
> > > > >> JSON or am I missing anything?
>
> > > > >> ----
> > > > >> Read jQuery HowTo Resource - http://jquery-howto.blogspot.com
>
> > > > >> On Thu, Jan 29, 2009 at 6:57 PM, Trend-King <i...@trend-king.de>
> > > > >> wrote:
>
> > > > >> > ok and thats safe for things like a sting $("#cart_info").fadeIn
> > > > >> > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> > > > >> > getted from JSON?
>
> > > > >> > On 29 Jan., 14:51, Stephan Veigl <stephan.ve...@gmail.com> wrote:
> > > > >> >> hi,
>
> > > > >> >> check out the secureEvalJSON() method of the json
> > > > >> >> plugin.http://code.google.com/p/jquery-json/
>
> > > > >> >> by(e)
> > > > >> >> Stephan
>
> > > > >> >> 2009/1/29 Trend-King <i...@trend-king.de>:
>
> > > > >> >> > Hi there another question from my, how save is it eval() data
> > > > >> >> > getting
> > > > >> >> > via JSON $.ajax() call
>
> > > > >> >> > i want to get javascript data to be executed after JSON
> > > > >> >> > $.ajax() call.
>
> > > > >> >> > or is there another way to do that?- Zitierten Text ausblenden -
>
> > > > >> >> - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > >> - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> - Zitierten Text anzeigen -
