Javascript is the most unsecure thing ever. But only for the current
user of the page. While on your page, I can type in to the URL box:
"javascript:alert(document.cookie)" and it will.
And this "problem" isn't even really all that problematic, until you
bring Ajax into it. The fear is never really in giving the user their
info, but in exposing to a user how the data is retrieved. For
example, lets say I've got firebug running on your page, and I see
that you've sent an ajax request to:
"getuserinfo.php?id=4"
There's really nothing stopping me from typing in the URL window:
javascript:alert($.get('getuserinfo.php?id=6', function(data){alert
(data)}, 'json'));
and getting info I'm not suposta get for a user which I'm not. So it
follows that the more information you pass through the javascript, and
the less server-side checks you perform to ensure a user is who they
say they are, the more information you risk exposing to unauthorized
users. So, in your example, when you're passing
{"items":{"box_test":"Some HTML here","box_test2":"Some
HTML there"}}
It seems benign enough, unless you're passing relevant info, like:
{"items":{"box_test":"<span>Your email: usern...@email.com</span>"}}
So ideally, you never use JSON to pass BACK any information on a user,
and you use an auth token, created by the server, unique to a user's
ID and IP address, before you let any AJax pass information TO a
database.
So long story short: As long as you're not passing back a user's info
through JSON, you're not as exposed as you could be.
On Jan 29, 12:30 pm, Trend-King <i...@trend-king.de> wrote:
> i think so, who could manipulate that JSON string with <script></
> script> in it?
>
> and it is exactly the same if i don't use JSON if somewhere in the
> javascript is something like $("box_test").html(var_goes_here); some
> one can manipulate the var_goes_here? and write here <script>alert
> (document.cookie)</script> or something like this???
>
> i'am a little confused is javascript that kind of unsecure?
>
> thanks for your replies Jens
>
> On 29 Jan., 18:17, Trend-King <i...@trend-king.de> wrote:
>
> > ok, but why is it not JSON to submit a sting variable in json within
> > HTML?
> > for example making a call to a php script which returns an array of
> > strings in HTML for which i could update the DOM
>
> > for example {"items":{"box_test":"Some HTML here","box_test2":"Some
> > HTML there"}}
>
> > and then do something like
>
> > $(response.items).each(function(id,data){
> > $(id).html(data);
>
> > });
>
> > in the success function of the ajax call
>
> > is that unsecure?
>
> > and if the "Some HTML will be <script></script>" how unsecure is it?
>
> > Thanks for your replies Jens
>
> > On 29 Jan., 17:52, Eric Garside <gars...@gmail.com> wrote:
>
> > > Honestly, there's not a whole bunch you could do with JSON that's
> > > insecure. The entire meaning of JSON is Javascript Object Notation.
> > > All it means is, if you were to type a string of json out within a
> > > script tag, it would be a Javascript object.
>
> > > var json = {success: true, name: 'Some Customer', quantity: 8};
>
> > > If you received this via an AJAX call and force processing as JSON
> > > (i.e. using $.getJSON or $.post('url.php', function(data){},
> > > 'json');), then it can basically be trusted to come out only as JSON.
>
> > > That being said, it sounds like you're doing something which is not
> > > JSON, but rather JavaScript being transfered over AJAX.
>
> > > When you said:
>
> > > >ok and thats safe for things like a sting $("#cart_info").fadeIn
> > > > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> > > > getted from JSON?
>
> > > You are describing the perfect example of how not to use JSON. If you
> > > allow for this kind of processing to occur in a json string, you open
> > > a pretty huge security door, and anyone who can get malicious JS into
> > > your page can do anything from making your page appear blank,
> > > redirecting to a phising page, or simply just start opening popups
> > > with a bunch of porn.
>
> > > The simplest way to do it is to limit returns, and properly process
> > > your javascript. Ideally, you'd so something like:
>
> > > $.get('url.php', function(data){
> > > if (data.success) fadeCart(500);
>
> > > }, 'json');
>
> > > function fadeCart(){
> > > var cart = $('#cart_info').fadeIn(500);
> > > setTimeout(function(){cart.fadeOut(500);}, 2000);
>
> > > }
>
> > > On Jan 29, 11:38 am, Stephan Veigl <stephan.ve...@gmail.com> wrote:
>
> > > > If you are trying to send JavaScript via AJAX that's not JSON. JSON is
> > > > about data only (see:http://json.org/), and that's exactly what makes
> > > > secureEvalJSON() secure. This function checks that there is nothing
> > > > else in your JSON except data, especially no JavaScript commands.
> > > > QUOTE: "secureEvalJSON: Converts from JSON to Javascript, but does so
> > > > while checking to see if the source is actually JSON, and not with
> > > > other Javascript statements thrown in."
>
> > > > If your question is: How secure is it to transfer JavaScript via AJAX?
> > > > Then the answer depends on how secure is your channel, how confident
> > > > are you that the data are really from the expected source and how much
> > > > do you trust your source.
>
> > > > For the first shot I would say, that it is insecure by default.
> > > > However it depends on your application. Most web pages are loaded over
> > > > an insecure channel and from an unidentified source, and we live quite
> > > > well with it - as long as it's not my net banking page or an online
> > > > shop.
> > > > But from your example, I guess you are talking exactly about an online
> > > > shop - than you could use https, this would eliminate the network
> > > > questions, at least.
>
> > > > by(e)
> > > > Stephan
>
> > > > 2009/1/29 Trend-King <i...@trend-king.de>:
>
> > > > > ok thats right but $.ajax() also do that so my problem is how safe it
> > > > > is to pass <script></script> through JSON and the append it to the DOM
> > > > > and it will be executed
>
> > > > > On 29 Jan., 15:13, jQuery Lover <ilovejqu...@gmail.com> wrote:
> > > > >> Reading the plugin homepage it does not. It only encodes and decodes
> > > > >> JSON or am I missing anything?
>
> > > > >> ----
> > > > >> Read jQuery HowTo Resource - http://jquery-howto.blogspot.com
>
> > > > >> On Thu, Jan 29, 2009 at 6:57 PM, Trend-King <i...@trend-king.de>
> > > > >> wrote:
>
> > > > >> > ok and thats safe for things like a sting $("#cart_info").fadeIn
> > > > >> > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> > > > >> > getted from JSON?
>
> > > > >> > On 29 Jan., 14:51, Stephan Veigl <stephan.ve...@gmail.com> wrote:
> > > > >> >> hi,
>
> > > > >> >> check out the secureEvalJSON() method of the json
> > > > >> >> plugin.http://code.google.com/p/jquery-json/
>
> > > > >> >> by(e)
> > > > >> >> Stephan
>
> > > > >> >> 2009/1/29 Trend-King <i...@trend-king.de>:
>
> > > > >> >> > Hi there another question from my, how save is it eval() data
> > > > >> >> > getting
> > > > >> >> > via JSON $.ajax() call
>
> > > > >> >> > i want to get javascript data to be executed after JSON
> > > > >> >> > $.ajax() call.
>
> > > > >> >> > or is there another way to do that?- Zitierten Text ausblenden -
>
> > > > >> >> - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > >> - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > - Zitierten Text anzeigen -
