W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 25 Feb 2011 03:10:53 +0000
Message-ID: <AANLkTinwZWNzD+ASHhvocF1W2CGJVf5v-NUCT64c8n-x@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 25 February 2011 02:35, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> The general issue that your php/perl server side scripts knows a few
> values at runtime while generating the javascript code. Trivially
>
> <script>
> var important_variable = '<?php echo $value_returned_from_sql; ?>'
> // lots of javascript code
> </script>
> can be turned to
>
> var foo=function foo(important_variable){. ... all javascript code ... }
>
> the latter can go in external script, or in the head or wherever. The
> point is that you can then call it from the php script as
> <script>foo('<? echo $value_returned_from_sql; ?>');</script>
>

Trouble is "important_variable" could be tainted with malicious data and the
user defined function might use it in some way with a DOM function and if
your user defined function can't use the DOM or anything then what use is
the user defined function?
Received on Friday, 25 February 2011 03:11:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 03:11:28 GMT