Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Object JavaScript and security

 
Peter Johnson
author
Bartender
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do you address security in the book? For example, how to prevent cross-site scripting attacks. I need to be convinced of a web site's safeness before I tell Firefox's NoScript plugin to allow scripts to run, so knowing how to assure my customers of my site's safeness is essential for using JavaScript to build my site.
 
Stoyan Stefanov
author
Ranch Hand
Posts: 85
5
PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
javascript can be dangerous, true. The worst mistakes are on the backend though, when on the backend you don't escape html properly and end up printing user input verbatim, you got the XSS. If the potential hacker can trick your backend to print unescaped user input, he can then use javascript to read and send himself your session cookie and so on.

The web is an insecure place, html is insecure, javascript is insecure, there's no sandboxing. Don't use eval for JSON data requests, in fact, never use eval. Don't include 3rd party javascripts in your pages, unless you really, really trust them, since they get access to everything your own scripts have access to.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic