- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 24 Feb 2011 22:10:33 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- CC: public-web-security@w3.org
On 2/24/11 6:35 PM, Devdatta Akhawe wrote:
> var foo=function foo(important_variable){. ... all javascript code ... }
>
> the latter can go in external script, or in the head or wherever. The
> point is that you can then call it from the php script as
> <script>foo('<? echo $value_returned_from_sql; ?>');</script>
>
> Are you convinced that this might make porting easier (ignoring
> whether it has better security than enabling inline scripts) ?
It'd be equivalent and just as easy (and as prone to XSS) to bury
the important variable in a custom HTML tag and pull the value out
when you need it.
<mytag id="sql_stuff" value="<PHP-code-here>" />
then later in script (externally loaded, static)
foo(document.getElementById("sql_stuff").getAttribute("value"))
-Dan Veditz
Received on Friday, 25 February 2011 06:11:45 UTC