Reputation: 49817
jQuery security, execute code in browser
I would like to know if embed js is a problem for site security, i mean, if i have an input text and i need to manipulate what the user inputs inside, if i put '<script> alert('hey');</script>' inside text input, cause of manipulation, it is executed in the browser but then in my server side script i remove all not-secure tags from that string, so i think i will have no problems in server-side, but what about browser side?
if malicious embeds something like $(document).load(some malicious script); will be a problem in browser-side? this is maybe a banal question i know but i ever asked to me this fact, if for example in firebug i embed $(somenthing).load(somenthing) just for example, can be this a security problem?
hope my question is clear, sorry for my bad english :|
Upvotes: 0
Views: 499
Answers (2)
Reputation: 160181
You want to read up on XSS (and here). If you encode all the HTML parts that could launch script (see the OWASP XSS prevention cheat sheet) tags, you will be fine; when the string is returned to the client there won't be any scripts left to execute. If any script remains, however, and it's returned to the client, the potential for sadness remains.
Upvotes: 1
Related Questions
- How to run user-provided Javascript without security issues (like jsFiddle, jsBin, etc.)?
- Executing HTML5/Javascript Within An iFrame Securely
- Security concerns with jquery
- Security Issue - Allowing user to add his own JavaScript (only during runtime)
- jquery/javascript security
- Common jQuery insecure programming
- JavaScript Security Concerns?
- Securing jquery script from "FIREBUG"?
- Javascript ouside public_html?
- Protect jQuery function from outside access