If that's the case, then you're certainly not exposing any important
information, but it's still not as efficient. With Javascript and JSON
alike, the longer the data, the longer it takes to load (this isn't
super relevant with tiny bits of info that are under 1k or so), but
when you get into transferring larger strings of HTML and animation,
it can build up processing time.
The nice thing about JS is that it can take a lot of load off your
server if you use it correctly. If you're using PHP or something like
that on the backend to generate HTML, or even transfer strings of pre-
written HTML over an AJAX call, that's still something your server has
to do. However, if you program the logic you need for those kinds of
displays into your initial javascript, you can farm a lot of the
display tasks off to Javascript.
I'd suggest using keywords to trigger events on your page. For
example, you posted at one point you send strings like this across:
> $("#cart_info").fadeIn(500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
You can do this a lot easier if you use keyword strings instead.
Lets assume you send the following response:
{animations: 'cartHighlight,boxSlideIn'}
And have some kind of javascript like this:
$(function(){
var animation_library = {
cartHighlight: function(){
$("#cart_info").fadeIn(500);
setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
},
boxSlideIn: function(){
$('#textBox').slideDown(500);
},
boxSlideOut: function(){
$('#textBox').slideUp(500);
},
cartSuccess: function(){
$('#cart_info').append('<div class="ui-highlight">You have
added an item into your cart!</div>');
}
}
function checkAnimations(animations){
$.each(animations, function(){
if (!animation_library[this]) return;
animation_library[this]();
})
}
$.post('someurl.php', function(data){
// ... do some stuff here ...
checkAnimations(data.animations)
}
});
That will trim down your json responses a lot, and farm all the
effects stuff out to your visitor's computer instead!
On Jan 29, 3:58 pm, Trend-King <i...@trend-king.de> wrote:
> the data i handle is the same data the user would see if he klicks on
> the link via page reload.
>
> the only diference is the data is beeing requestet via ajax and only
> has the needed information in it. i say it like this only boxes are
> updated.
>
> for example if the user clicks the add to cart without javascript he
> gets a reload and the item is added to cart with javascript on it
> makes the same uri call with an get variable ajax=1 and then it only
> returns the updated elements in an json array and each update the dom.
>
> greet
>
> Trend-King schrieb:
>
> > thank you :-( now i am scared to do something with javascript or ajax
> > or JSON.
>
> > who or how can i check the security of my script?
>
> > is it as easy as you say to hack javascript?
>
> > Eric Garside schrieb:
> > > Technically yes. But only if you don't trust your own server. :)
>
> > > Like, because of the security concern, you can ONLY ajax from the same
> > > domain. (*.whatever.com can only perform an AJAX request on
> > > *.whatever.com domains).
>
> > > However, you were talking about JSON in the beginning, which has
> > > methods for fetching cross-domain Javascript. IE, you can call:
>
> > > $.getJSON() or $.ajax({type: 'json'}) with the correct params, and
> > > pull JSON from a site like... twitter, or flickr.
>
> > > However, the more unsanitized data you just arbitrarily set in pages,
> > > the larger the risk you run of a problem. Now, your chances of getting
> > > bad or malicious data from flickr or twitter or any other major web
> > > service is small. But it exists.
>
> > > On Jan 29, 12:47 pm, Trend-King <i...@trend-king.de> wrote:
> > > > $(document).ready(function(){
> > > > $.ajax({
> > > > url: "test.html",
> > > > cache: false,
> > > > success: function(html){
> > > > do_something(html) }
>
> > > > });
> > > > });
>
> > > > function do_something(html){
> > > > $("#results").append(html);
>
> > > > }
>
> > > > it's from the jquery docs so that is also unsecure, because i could
> > > > manipulate the html var an fill some <script></script> in it???
>
> > > > On 29 Jan., 18:30, Trend-King <i...@trend-king.de> wrote:
>
> > > > > i think so, who could manipulate that JSON string with <script></
> > > > > script> in it?
>
> > > > > and it is exactly the same if i don't use JSON if somewhere in the
> > > > > javascript is something like $("box_test").html(var_goes_here); some
> > > > > one can manipulate the var_goes_here? and write here <script>alert
> > > > > (document.cookie)</script> or something like this???
>
> > > > > i'am a little confused is javascript that kind of unsecure?
>
> > > > > thanks for your replies Jens
>
> > > > > On 29 Jan., 18:17, Trend-King <i...@trend-king.de> wrote:
>
> > > > > > ok, but why is it not JSON to submit a sting variable in json within
> > > > > > HTML?
> > > > > > for example making a call to a php script which returns an array of
> > > > > > strings in HTML for which i could update the DOM
>
> > > > > > for example {"items":{"box_test":"Some HTML here","box_test2":"Some
> > > > > > HTML there"}}
>
> > > > > > and then do something like
>
> > > > > > $(response.items).each(function(id,data){
> > > > > > $(id).html(data);
>
> > > > > > });
>
> > > > > > in the success function of the ajax call
>
> > > > > > is that unsecure?
>
> > > > > > and if the "Some HTML will be <script></script>" how unsecure is it?
>
> > > > > > Thanks for your replies Jens
>
> > > > > > On 29 Jan., 17:52, Eric Garside <gars...@gmail.com> wrote:
>
> > > > > > > Honestly, there's not a whole bunch you could do with JSON that's
> > > > > > > insecure. The entire meaning of JSON is Javascript Object
> > > > > > > Notation.
> > > > > > > All it means is, if you were to type a string of json out within a
> > > > > > > script tag, it would be a Javascript object.
>
> > > > > > > var json = {success: true, name: 'Some Customer', quantity: 8};
>
> > > > > > > If you received this via an AJAX call and force processing as JSON
> > > > > > > (i.e. using $.getJSON or $.post('url.php', function(data){},
> > > > > > > 'json');), then it can basically be trusted to come out only as
> > > > > > > JSON.
>
> > > > > > > That being said, it sounds like you're doing something which is
> > > > > > > not
> > > > > > > JSON, but rather JavaScript being transfered over AJAX.
>
> > > > > > > When you said:
>
> > > > > > > >ok and thats safe for things like a sting $("#cart_info").fadeIn
> > > > > > > > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> > > > > > > > getted from JSON?
>
> > > > > > > You are describing the perfect example of how not to use JSON. If
> > > > > > > you
> > > > > > > allow for this kind of processing to occur in a json string, you
> > > > > > > open
> > > > > > > a pretty huge security door, and anyone who can get malicious JS
> > > > > > > into
> > > > > > > your page can do anything from making your page appear blank,
> > > > > > > redirecting to a phising page, or simply just start opening popups
> > > > > > > with a bunch of porn.
>
> > > > > > > The simplest way to do it is to limit returns, and properly
> > > > > > > process
> > > > > > > your javascript. Ideally, you'd so something like:
>
> > > > > > > $.get('url.php', function(data){
> > > > > > > if (data.success) fadeCart(500);
>
> > > > > > > }, 'json');
>
> > > > > > > function fadeCart(){
> > > > > > > var cart = $('#cart_info').fadeIn(500);
> > > > > > > setTimeout(function(){cart.fadeOut(500);}, 2000);
>
> > > > > > > }
>
> > > > > > > On Jan 29, 11:38 am, Stephan Veigl <stephan.ve...@gmail.com>
> > > > > > > wrote:
>
> > > > > > > > If you are trying to send JavaScript via AJAX that's not JSON.
> > > > > > > > JSON is
> > > > > > > > about data only (see:http://json.org/), and that's exactly what
> > > > > > > > makes
> > > > > > > > secureEvalJSON() secure. This function checks that there is
> > > > > > > > nothing
> > > > > > > > else in your JSON except data, especially no JavaScript
> > > > > > > > commands.
> > > > > > > > QUOTE: "secureEvalJSON: Converts from JSON to Javascript, but
> > > > > > > > does so
> > > > > > > > while checking to see if the source is actually JSON, and not
> > > > > > > > with
> > > > > > > > other Javascript statements thrown in."
>
> > > > > > > > If your question is: How secure is it to transfer JavaScript
> > > > > > > > via AJAX?
> > > > > > > > Then the answer depends on how secure is your channel, how
> > > > > > > > confident
> > > > > > > > are you that the data are really from the expected source and
> > > > > > > > how much
> > > > > > > > do you trust your source.
>
> > > > > > > > For the first shot I would say, that it is insecure by default.
> > > > > > > > However it depends on your application. Most web pages are
> > > > > > > > loaded over
> > > > > > > > an insecure channel and from an unidentified source, and we
> > > > > > > > live quite
> > > > > > > > well with it - as long as it's not my net banking page or an
> > > > > > > > online
> > > > > > > > shop.
> > > > > > > > But from your example, I guess you are talking exactly about an
> > > > > > > > online
> > > > > > > > shop - than you could use https, this would eliminate the
> > > > > > > > network
> > > > > > > > questions, at least.
>
> > > > > > > > by(e)
> > > > > > > > Stephan
>
> > > > > > > > 2009/1/29 Trend-King <i...@trend-king.de>:
>
> > > > > > > > > ok thats right but $.ajax() also do that so my problem is how
> > > > > > > > > safe it
> > > > > > > > > is to pass <script></script> through JSON and the append it
> > > > > > > > > to the DOM
> > > > > > > > > and it will be executed
>
> > > > > > > > > On 29 Jan., 15:13, jQuery Lover <ilovejqu...@gmail.com> wrote:
> > > > > > > > >> Reading the plugin homepage it does not. It only encodes and
> > > > > > > > >> decodes
> > > > > > > > >> JSON or am I missing anything?
>
> > > > > > > > >> ----
> > > > > > > > >> Read jQuery HowTo Resource -
> > > > > > > > >> http://jquery-howto.blogspot.com
>
> > > > > > > > >> On Thu, Jan 29, 2009 at 6:57 PM, Trend-King
> > > > > > > > >> <i...@trend-king.de> wrote:
>
> > > > > > > > >> > ok and thats safe for things like a sting
> > > > > > > > >> > $("#cart_info").fadeIn
> > > > > > > > >> > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> > > > > > > > >> > getted from JSON?
>
> > > > > > > > >> > On 29 Jan., 14:51, Stephan Veigl <stephan.ve...@gmail.com>
> > > > > > > > >> > wrote:
> > > > > > > > >> >> hi,
>
> > > > > > > > >> >> check out the secureEvalJSON() method of the json
> > > > > > > > >> >> plugin.http://code.google.com/p/jquery-json/
>
> > > > > > > > >> >> by(e)
> > > > > > > > >> >> Stephan
>
> > > > > > > > >> >> 2009/1/29 Trend-King <i...@trend-king.de>:
>
> > > > > > > > >> >> > Hi there another question from my, how save is it
> > > > > > > > >> >> > eval() data getting
> > > > > > > > >> >> > via JSON $.ajax() call
>
> > > > > > > > >> >> > i want to get javascript data to be executed after JSON
> > > > > > > > >> >> > $.ajax() call.
>
> > > > > > > > >> >> > or is there another way to do that?- Zitierten Text
> > > > > > > > >> >> > ausblenden -
>
> > > > > > > > >> >> - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > > > > > >> - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > > > > - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > > > - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> > > > > - Zitierten Text anzeigen -
