Thank you for that really great oppinion.
my code is ready for use ;-)
On 29 Jan., 23:11, Eric Garside <gars...@gmail.com> wrote:
> If that's the case, then you're certainly not exposing any important
> information, but it's still not as efficient. With Javascript and JSON
> alike, the longer the data, the longer it takes to load (this isn't
> super relevant with tiny bits of info that are under 1k or so), but
> when you get into transferring larger strings of HTML and animation,
> it can build up processing time.
>
> The nice thing about JS is that it can take a lot of load off your
> server if you use it correctly. If you're using PHP or something like
> that on the backend to generate HTML, or even transfer strings of pre-
> written HTML over an AJAX call, that's still something your server has
> to do. However, if you program the logic you need for those kinds of
> displays into your initial javascript, you can farm a lot of the
> display tasks off to Javascript.
>
> I'd suggest using keywords to trigger events on your page. For
> example, you posted at one point you send strings like this across:
>
> > $("#cart_info").fadeIn(500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
>
> You can do this a lot easier if you use keyword strings instead.
>
> Lets assume you send the following response:
> {animations: 'cartHighlight,boxSlideIn'}
>
> And have some kind of javascript like this:
>
> $(function(){
> var animation_library = {
> cartHighlight: function(){
> $("#cart_info").fadeIn(500);
> setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> },
> boxSlideIn: function(){
> $('#textBox').slideDown(500);
> },
> boxSlideOut: function(){
> $('#textBox').slideUp(500);
> },
> cartSuccess: function(){
> $('#cart_info').append('<div class="ui-highlight">You have
> added an item into your cart!</div>');
> }
> }
>
> function checkAnimations(animations){
> $.each(animations, function(){
> if (!animation_library[this]) return;
> animation_library[this]();
> })
> }
>
> $.post('someurl.php', function(data){
> // ... do some stuff here ...
> checkAnimations(data.animations)
> }
>
> });
>
> That will trim down your json responses a lot, and farm all the
> effects stuff out to your visitor's computer instead!
>
> On Jan 29, 3:58 pm, Trend-King <i...@trend-king.de> wrote:
>
>
>
> > the data i handle is the same data the user would see if he klicks on
> > the link via page reload.
>
> > the only diference is the data is beeing requestet via ajax and only
> > has the needed information in it. i say it like this only boxes are
> > updated.
>
> > for example if the user clicks the add to cart without javascript he
> > gets a reload and the item is added to cart with javascript on it
> > makes the same uri call with an get variable ajax=1 and then it only
> > returns the updated elements in an json array and each update the dom.
>
> > greet
>
> > Trend-King schrieb:
>
> > > thank you :-( now i am scared to do something with javascript or ajax
> > > or JSON.
>
> > > who or how can i check the security of my script?
>
> > > is it as easy as you say to hack javascript?
>
> > > Eric Garside schrieb:
> > > > Technically yes. But only if you don't trust your own server. :)
>
> > > > Like, because of the security concern, you can ONLY ajax from the same
> > > > domain. (*.whatever.com can only perform an AJAX request on
> > > > *.whatever.com domains).
>
> > > > However, you were talking about JSON in the beginning, which has
> > > > methods for fetching cross-domain Javascript. IE, you can call:
>
> > > > $.getJSON() or $.ajax({type: 'json'}) with the correct params, and
> > > > pull JSON from a site like... twitter, or flickr.
>
> > > > However, the more unsanitized data you just arbitrarily set in pages,
> > > > the larger the risk you run of a problem. Now, your chances of getting
> > > > bad or malicious data from flickr or twitter or any other major web
> > > > service is small. But it exists.
>
> > > > On Jan 29, 12:47 pm, Trend-King <i...@trend-king.de> wrote:
> > > > > $(document).ready(function(){
> > > > > $.ajax({
> > > > > url: "test.html",
> > > > > cache: false,
> > > > > success: function(html){
> > > > > do_something(html) }
>
> > > > > });
> > > > > });
>
> > > > > function do_something(html){
> > > > > $("#results").append(html);
>
> > > > > }
>
> > > > > it's from the jquery docs so that is also unsecure, because i could
> > > > > manipulate the html var an fill some <script></script> in it???
>
> > > > > On 29 Jan., 18:30, Trend-King <i...@trend-king.de> wrote:
>
> > > > > > i think so, who could manipulate that JSON string with <script></
> > > > > > script> in it?
>
> > > > > > and it is exactly the same if i don't use JSON if somewhere in the
> > > > > > javascript is something like $("box_test").html(var_goes_here); some
> > > > > > one can manipulate the var_goes_here? and write here <script>alert
> > > > > > (document.cookie)</script> or something like this???
>
> > > > > > i'am a little confused is javascript that kind of unsecure?
>
> > > > > > thanks for your replies Jens
>
> > > > > > On 29 Jan., 18:17, Trend-King <i...@trend-king.de> wrote:
>
> > > > > > > ok, but why is it not JSON to submit a sting variable in json
> > > > > > > within
> > > > > > > HTML?
> > > > > > > for example making a call to a php script which returns an array
> > > > > > > of
> > > > > > > strings in HTML for which i could update the DOM
>
> > > > > > > for example {"items":{"box_test":"Some HTML
> > > > > > > here","box_test2":"Some
> > > > > > > HTML there"}}
>
> > > > > > > and then do something like
>
> > > > > > > $(response.items).each(function(id,data){
> > > > > > > $(id).html(data);
>
> > > > > > > });
>
> > > > > > > in the success function of the ajax call
>
> > > > > > > is that unsecure?
>
> > > > > > > and if the "Some HTML will be <script></script>" how unsecure is
> > > > > > > it?
>
> > > > > > > Thanks for your replies Jens
>
> > > > > > > On 29 Jan., 17:52, Eric Garside <gars...@gmail.com> wrote:
>
> > > > > > > > Honestly, there's not a whole bunch you could do with JSON
> > > > > > > > that's
> > > > > > > > insecure. The entire meaning of JSON is Javascript Object
> > > > > > > > Notation.
> > > > > > > > All it means is, if you were to type a string of json out
> > > > > > > > within a
> > > > > > > > script tag, it would be a Javascript object.
>
> > > > > > > > var json = {success: true, name: 'Some Customer', quantity: 8};
>
> > > > > > > > If you received this via an AJAX call and force processing as
> > > > > > > > JSON
> > > > > > > > (i.e. using $.getJSON or $.post('url.php', function(data){},
> > > > > > > > 'json');), then it can basically be trusted to come out only as
> > > > > > > > JSON.
>
> > > > > > > > That being said, it sounds like you're doing something which is
> > > > > > > > not
> > > > > > > > JSON, but rather JavaScript being transfered over AJAX.
>
> > > > > > > > When you said:
>
> > > > > > > > >ok and thats safe for things like a sting
> > > > > > > > >$("#cart_info").fadeIn
> > > > > > > > > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> > > > > > > > > getted from JSON?
>
> > > > > > > > You are describing the perfect example of how not to use JSON.
> > > > > > > > If you
> > > > > > > > allow for this kind of processing to occur in a json string,
> > > > > > > > you open
> > > > > > > > a pretty huge security door, and anyone who can get malicious
> > > > > > > > JS into
> > > > > > > > your page can do anything from making your page appear blank,
> > > > > > > > redirecting to a phising page, or simply just start opening
> > > > > > > > popups
> > > > > > > > with a bunch of porn.
>
> > > > > > > > The simplest way to do it is to limit returns, and properly
> > > > > > > > process
> > > > > > > > your javascript. Ideally, you'd so something like:
>
> > > > > > > > $.get('url.php', function(data){
> > > > > > > > if (data.success) fadeCart(500);
>
> > > > > > > > }, 'json');
>
> > > > > > > > function fadeCart(){
> > > > > > > > var cart = $('#cart_info').fadeIn(500);
> > > > > > > > setTimeout(function(){cart.fadeOut(500);}, 2000);
>
> > > > > > > > }
>
> > > > > > > > On Jan 29, 11:38 am, Stephan Veigl <stephan.ve...@gmail.com>
> > > > > > > > wrote:
>
> > > > > > > > > If you are trying to send JavaScript via AJAX that's not
> > > > > > > > > JSON. JSON is
> > > > > > > > > about data only (see:http://json.org/), and that's exactly
> > > > > > > > > what makes
> > > > > > > > > secureEvalJSON() secure. This function checks that there is
> > > > > > > > > nothing
> > > > > > > > > else in your JSON except data, especially no JavaScript
> > > > > > > > > commands.
> > > > > > > > > QUOTE: "secureEvalJSON: Converts from JSON to Javascript, but
> > > > > > > > > does so
> > > > > > > > > while checking to see if the source is actually JSON, and not
> > > > > > > > > with
> > > > > > > > > other Javascript statements thrown in."
>
> > > > > > > > > If your question is: How secure is it to transfer JavaScript
> > > > > > > > > via AJAX?
> > > > > > > > > Then the answer depends on how secure is your channel, how
> > > > > > > > > confident
> > > > > > > > > are you that the data are really from the expected source and
> > > > > > > > > how much
> > > > > > > > > do you trust your source.
>
> > > > > > > > > For the first shot I would say, that it is insecure by
> > > > > > > > > default.
> > > > > > > > > However it depends on your application. Most web pages are
> > > > > > > > > loaded over
> > > > > > > > > an insecure channel and from an unidentified source, and we
> > > > > > > > > live quite
> > > > > > > > > well with it - as long as it's not my net banking page or an
> > > > > > > > > online
> > > > > > > > > shop.
> > > > > > > > > But from your example, I guess you are talking exactly about
> > > > > > > > > an online
> > > > > > > > > shop - than you could use https, this would eliminate the
> > > > > > > > > network
> > > > > > > > > questions, at least.
>
> > > > > > > > > by(e)
> > > > > > > > > Stephan
>
> > > > > > > > > 2009/1/29 Trend-King <i...@trend-king.de>:
>
> > > > > > > > > > ok thats right but $.ajax() also do that so my problem is
> > > > > > > > > > how safe it
> > > > > > > > > > is to pass <script></script> through JSON and the append it
> > > > > > > > > > to the DOM
> > > > > > > > > > and it will be executed
>
> > > > > > > > > > On 29 Jan., 15:13, jQuery Lover <ilovejqu...@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > >> Reading the plugin homepage it does not. It only encodes
> > > > > > > > > >> and decodes
> > > > > > > > > >> JSON or am I missing
>
> ...
>
> Erfahren Sie mehr »- Zitierten Text ausblenden -
>
> - Zitierten Text anzeigen -
