File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes HTML, CSS and JavaScript and the fly likes Object JavaScript and security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Object JavaScript and security" Watch "Object JavaScript and security" New topic
Author

Object JavaScript and security

Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5776
    
    7

Do you address security in the book? For example, how to prevent cross-site scripting attacks. I need to be convinced of a web site's safeness before I tell Firefox's NoScript plugin to allow scripts to run, so knowing how to assure my customers of my site's safeness is essential for using JavaScript to build my site.


JBoss In Action
Stoyan Stefanov
author
Ranch Hand

Joined: Jul 16, 2008
Posts: 61
javascript can be dangerous, true. The worst mistakes are on the backend though, when on the backend you don't escape html properly and end up printing user input verbatim, you got the XSS. If the potential hacker can trick your backend to print unescaped user input, he can then use javascript to read and send himself your session cookie and so on.

The web is an insecure place, html is insecure, javascript is insecure, there's no sandboxing. Don't use eval for JSON data requests, in fact, never use eval. Don't include 3rd party javascripts in your pages, unless you really, really trust them, since they get access to everything your own scripts have access to.


<a href="http://www.thinkinginjavascript.com" target="_blank" rel="nofollow">my OOJS book</a>
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Object JavaScript and security
 
Similar Threads
Securing a servlet-JSP based website
need urgent help on posting data to other site.
Website testing--Getting around security alerts
configure ssl problem
how I can change security settings to allow javascript to open html on my local harddrive