On 31/01/2011 00:10, Poetro wrote:
This is not the problem of the language, but the interpretation and
adding scripts to the web page, in case of browser usage. If there
could be only one JavaScript tag on the page, and that could load the
external scripts, it would be more secure IMHO. Then none could inject
script tags to the page without previous notice of the site developer.
Oh, and also kill document.write as it is not secure and slow. But
these are mainly issues of the BOM / DOM not the language itself.
To a degree. One of the main issues is also people not properly escaping
the URL data - when you print out ANYTHING in the page with echo in your
PHP without filtering input you can inject things. The main access point
is what comes in, and then we have the issue that JS allows for much more.
The ability to mutate JS objects and especially arrays is a very
powerful thing and anything that is powerful can be abused.
As with any security issues, a lot of the JS attacks are based on not
understanding the technology you apply. People just add scripts
nilly-willy as they do something cool, much like people use WordPress
plugins that need you to make folders write and executable.
Saying a language makes it easy to create insecure apps means first and
foremost that it is too easy to achieve results without understanding
the effects your code has. This is one of the reasons this list exists ;)
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/jsmentors@jsmentors.com/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/jsmentors@googlegroups.com/
To unsubscribe from this group, send email to
jsmentors+unsubscr...@googlegroups.com