wood burning stoves 2.0
The moose likes HTML, CSS and JavaScript and the fly likes Object JavaScript and security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Object JavaScript and security" Watch "Object JavaScript and security" New topic

Object JavaScript and security

Peter Johnson

Joined: May 14, 2008
Posts: 5852

Do you address security in the book? For example, how to prevent cross-site scripting attacks. I need to be convinced of a web site's safeness before I tell Firefox's NoScript plugin to allow scripts to run, so knowing how to assure my customers of my site's safeness is essential for using JavaScript to build my site.

JBoss In Action
Stoyan Stefanov
Ranch Hand

Joined: Jul 16, 2008
Posts: 61
javascript can be dangerous, true. The worst mistakes are on the backend though, when on the backend you don't escape html properly and end up printing user input verbatim, you got the XSS. If the potential hacker can trick your backend to print unescaped user input, he can then use javascript to read and send himself your session cookie and so on.

The web is an insecure place, html is insecure, javascript is insecure, there's no sandboxing. Don't use eval for JSON data requests, in fact, never use eval. Don't include 3rd party javascripts in your pages, unless you really, really trust them, since they get access to everything your own scripts have access to.

<a href="http://www.thinkinginjavascript.com" target="_blank" rel="nofollow">my OOJS book</a>
I agree. Here's the link: http://aspose.com/file-tools
subject: Object JavaScript and security
It's not a secret anymore!