Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (1)

Javascript Injection at it's Finest!, without even using Eval()!

By , 15 May 2011
 
They need to make javascript only execute in scoped containers within the browser. Don't ask me how, I'm sure the browser companies can make some kinda sandbox element.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 VectorX
Software Developer (Senior) Codevendor
United States United States
Member
Please visit my personal website http://www.codevendor.com for my latest codes and updates.

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
Hint: For improved responsiveness ensure Javascript is enabled and choose 'Normal' from the Layout dropdown and hit 'Update'.
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First Prev Next
GeneralI disagree. JavaScript is MADE to extend via the prototype i...memberTatsh16 May '11 - 5:32 
I disagree. JavaScript is MADE to extend via the prototype in each object (although you should not expect this to work on every client, especially IE/JScript).
 
We have a ways to go in terms of security but verifying JSONP requests and CORS are where we are headed (CORS is possible since IE 8 with the XDomainRequest object, on other browsers XHR Level 2). What are we concerned about here? JavaScript injection has always been possible.
 
You have to be very careful what people POST and GET via HTTP in general, not just Ajax requests. Never trust any input from the client side, ever. It must be scraped, cleaned, sanitised, whatever you must do to ensure it is not an attack attempt.
Sign In·View Thread·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 19 May '13 - 3:31Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
They need to make javascript only execute in scoped containers within the browser. Don't ask me how, I'm sure the browser companies can make some kinda sandbox element.
Type Tip/Trick
Licence CPOL
First Posted 15 May 2011
Views 1,624
Bookmarked 1 time

, +
Top News

Math Primers for Programmers

Get the Insider News free each morning.
Related Videos
JavaScript Programming - 0205 When Not To Use JavaScript
JavaScript: If Statement
Javascript Injection at it's Finest!, without even using Eval()!
HTML and JavaScript Injection
Using WebBrowser.Document.InvokeScript() to mess around with foreign JavaScript
Implementing Programming Languages Using C# 4.0
7 Tips for Loading JavaScript Rich Web 2.0-like Sites Significantly Faster
ASP.NET and jQuery to the Max
UFrame: Goodness of UpdatePanel and IFRAME Combined
ASP.NET Custom Control for High Performance Web Scripts
Evaluate Expressions from C# using JavaScript's Eval() Function
Dependency Injection for Loose Coupling
Dynamic Expresso
JavaScript Regular Expression Tester
JavaScript Best Practices
SQL Injection Attacks and Some Tips on How to Prevent Them
A Collection of JavaScript Gotchas
Namespaces in JavaScript
Hyperlinked Images in ASP.NET GridView
How to Protect from SQL Injection in PhP based website
AJAX DropDownList
WPF Evaluated Value Binding Using Converter Parameter
Permalink | Advertise | Privacy | Mobile
Web04 | 2.6.130516.1 | Last Updated 15 May 2011
Article Copyright 2011 by VectorX
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid