What kind of data are you dealing with? It all depends on the
information being passed.
I wouldn't say 'hack'. Javascript is like a macro language, it's
totally exposed to the user. You can see the source code, do whatever
you want at runtime, etc. It's up to you to make sure that all
sensitive data is handled correctly *server-side* and securely served.
You should structure your app thinking of GET and POST requests, not
javascript itself. As long as you have a secure process, js can do no
harm.
Answering your original question, I agree with Eric Garside, you
should ideally only return relevant data in JSON, and call any
animations, effects or processing on success. Not for security, as it
won't make a difference, but for simplicity / organization. There are
many ways to insert and run scripts anywhere you want on a page, no
one shouldn't be handing sensitive data to javascript in the first
place.
cheers,
- ricardo
On Jan 29, 6:04 pm, Trend-King <i...@trend-king.de> wrote:
> thank you :-( now i am scared to do something with javascript or ajax
> or JSON.
>
> who or how can i check the security of my script?
>
> is it as easy as you say to hack javascript?
>
> Eric Garside schrieb:
>
> > Technically yes. But only if you don't trust your own server. :)
>
> > Like, because of the security concern, you can ONLY ajax from the same
> > domain. (*.whatever.com can only perform an AJAX request on
> > *.whatever.com domains).
>
> > However, you were talking about JSON in the beginning, which has
> > methods for fetching cross-domain Javascript. IE, you can call:
>
> > $.getJSON() or $.ajax({type: 'json'}) with the correct params, and
> > pull JSON from a site like... twitter, or flickr.
>
> > However, the more unsanitized data you just arbitrarily set in pages,
> > the larger the risk you run of a problem. Now, your chances of getting
> > bad or malicious data from flickr or twitter or any other major web
> > service is small. But it exists.
>
> > On Jan 29, 12:47 pm, Trend-King <i...@trend-king.de> wrote:
> > > $(document).ready(function(){
> > > $.ajax({
> > > url: "test.html",
> > > cache: false,
> > > success: function(html){
> > > do_something(html) }
>
> > > });
> > > });
>
> > > function do_something(html){
> > > $("#results").append(html);
>
> > > }
>
> > > it's from the jquery docs so that is also unsecure, because i could
> > > manipulate the html var an fill some <script></script> in it???
>
> > > On 29 Jan., 18:30, Trend-King <i...@trend-king.de> wrote:
>
> > > > i think so, who could manipulate that JSON string with <script></
> > > > script> in it?
>
> > > > and it is exactly the same if i don't use JSON if somewhere in the
> > > > javascript is something like $("box_test").html(var_goes_here); some
> > > > one can manipulate the var_goes_here? and write here <script>alert
> > > > (document.cookie)</script> or something like this???
>
> > > > i'am a little confused is javascript that kind of unsecure?
>
> > > > thanks for your replies Jens
>
> > > > On 29 Jan., 18:17, Trend-King <i...@trend-king.de> wrote:
>
> > > > > ok, but why is it not JSON to submit a sting variable in json within
> > > > > HTML?
> > > > > for example making a call to a php script which returns an array of
> > > > > strings in HTML for which i could update the DOM
>
> > > > > for example {"items":{"box_test":"Some HTML here","box_test2":"Some
> > > > > HTML there"}}
>
> > > > > and then do something like
>
> > > > > $(response.items).each(function(id,data){
> > > > > $(id).html(data);
>
> > > > > });
>
> > > > > in the success function of the ajax call
>
> > > > > is that unsecure?
>
> > > > > and if the "Some HTML will be <script></script>" how unsecure is it?
>
> > > > > Thanks for your replies Jens
>
> > > > > On 29 Jan., 17:52, Eric Garside <gars...@gmail.com> wrote:
>
> > > > > > Honestly, there's not a whole bunch you could do with JSON that's
> > > > > > insecure. The entire meaning of JSON is Javascript Object Notation.
> > > > > > All it means is, if you were to type a string of json out within a
> > > > > > script tag, it would be a Javascript object.
>
> > > > > > var json = {success: true, name: 'Some Customer', quantity: 8};
>
> > > > > > If you received this via an AJAX call and force processing as JSON
> > > > > > (i.e. using $.getJSON or $.post('url.php', function(data){},
> > > > > > 'json');), then it can basically be trusted to come out only as
> > > > > > JSON.
>
> > > > > > That being said, it sounds like you're doing something which is not
> > > > > > JSON, but rather JavaScript being transfered over AJAX.
>
> > > > > > When you said:
>
> > > > > > >ok and thats safe for things like a sting $("#cart_info").fadeIn
> > > > > > > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> > > > > > > getted from JSON?
>
> > > > > > You are describing the perfect example of how not to use JSON. If
> > > > > > you
> > > > > > allow for this kind of processing to occur in a json string, you
> > > > > > open
> > > > > > a pretty huge security door, and anyone who can get malicious JS
> > > > > > into
> > > > > > your page can do anything from making your page appear blank,
> > > > > > redirecting to a phising page, or simply just start opening popups
> > > > > > with a bunch of porn.
>
> > > > > > The simplest way to do it is to limit returns, and properly process
> > > > > > your javascript. Ideally, you'd so something like:
>
> > > > > > $.get('url.php', function(data){
> > > > > > if (data.success) fadeCart(500);
>
> > > > > > }, 'json');
>
> > > > > > function fadeCart(){
> > > > > > var cart = $('#cart_info').fadeIn(500);
> > > > > > setTimeout(function(){cart.fadeOut(500);}, 2000);
>
> > > > > > }
>
> > > > > > On Jan 29, 11:38 am, Stephan Veigl <stephan.ve...@gmail.com> wrote:
>
> > > > > > > If you are trying to send JavaScript via AJAX that's not JSON.
> > > > > > > JSON is
> > > > > > > about data only (see:http://json.org/), and that's exactly what
> > > > > > > makes
> > > > > > > secureEvalJSON() secure. This function checks that there is
> > > > > > > nothing
> > > > > > > else in your JSON except data, especially no JavaScript commands.
> > > > > > > QUOTE: "secureEvalJSON: Converts from JSON to Javascript, but
> > > > > > > does so
> > > > > > > while checking to see if the source is actually JSON, and not with
> > > > > > > other Javascript statements thrown in."
>
> > > > > > > If your question is: How secure is it to transfer JavaScript via
> > > > > > > AJAX?
> > > > > > > Then the answer depends on how secure is your channel, how
> > > > > > > confident
> > > > > > > are you that the data are really from the expected source and how
> > > > > > > much
> > > > > > > do you trust your source.
>
> > > > > > > For the first shot I would say, that it is insecure by default.
> > > > > > > However it depends on your application. Most web pages are loaded
> > > > > > > over
> > > > > > > an insecure channel and from an unidentified source, and we live
> > > > > > > quite
> > > > > > > well with it - as long as it's not my net banking page or an
> > > > > > > online
> > > > > > > shop.
> > > > > > > But from your example, I guess you are talking exactly about an
> > > > > > > online
> > > > > > > shop - than you could use https, this would eliminate the network
> > > > > > > questions, at least.
>
> > > > > > > by(e)
> > > > > > > Stephan
>
> > > > > > > 2009/1/29 Trend-King <i...@trend-king.de>:
>
> > > > > > > > ok thats right but $.ajax() also do that so my problem is how
> > > > > > > > safe it
> > > > > > > > is to pass <script></script> through JSON and the append it to
> > > > > > > > the DOM
> > > > > > > > and it will be executed
>
> > > > > > > > On 29 Jan., 15:13, jQuery Lover <ilovejqu...@gmail.com> wrote:
> > > > > > > >> Reading the plugin homepage it does not. It only encodes and
> > > > > > > >> decodes
> > > > > > > >> JSON or am I missing anything?
>
> > > > > > > >> ----
> > > > > > > >> Read jQuery HowTo Resource - http://jquery-howto.blogspot.com
>
> > > > > > > >> On Thu, Jan 29, 2009 at 6:57 PM, Trend-King
> > > > > > > >> <i...@trend-king.de> wrote:
>
> > > > > > > >> > ok and thats safe for things like a sting
> > > > > > > >> > $("#cart_info").fadeIn
> > > > > > > >> > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> > > > > > > >> > getted from JSON?
>
> > > > > > > >> > On 29 Jan., 14:51, Stephan Veigl <stephan.ve...@gmail.com>
> > > > > > > >> > wrote:
> > > > > > > >> >> hi,
>
> > > > > > > >> >> check out the secureEvalJSON() method of the json
> > > > > > > >> >> plugin.http://code.google.com/p/jquery-json/
>
> > > > > > > >> >> by(e)
> > > > > > > >> >> Stephan
>
> > > > > > > >> >> 2009/1/29 Trend-King <i...@trend-king.de>:
>
> > > > > > > >> >> > Hi there another question from my, how save is it eval()
> > > > > > > >> >> > data getting
> > > > > > > >> >> > via JSON $.ajax() call
>
> > > > > > > >> >> > i want to get javascript data to be executed after JSON
> > > > > > > >> >> > $.ajax() call.
>
> > > > > > > >> >> > or is there another way to do that?- Zitierten Text
> > > > > > > >> >> > ausblenden -
>
> > > > > > > >> >> - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > > > > >> - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > > > - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > > - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > - Zitierten Text anzeigen -
