- From: gaz Heyes <gazheyes@gmail.com>
- Date: Fri, 25 Feb 2011 03:10:53 +0000
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Received on Friday, 25 February 2011 03:11:25 UTC
On 25 February 2011 02:35, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> The general issue that your php/perl server side scripts knows a few
> values at runtime while generating the javascript code. Trivially
>
> <script>
> var important_variable = '<?php echo $value_returned_from_sql; ?>'
> // lots of javascript code
> </script>
> can be turned to
>
> var foo=function foo(important_variable){. ... all javascript code ... }
>
> the latter can go in external script, or in the head or wherever. The
> point is that you can then call it from the php script as
> <script>foo('<? echo $value_returned_from_sql; ?>');</script>
>
Trouble is "important_variable" could be tainted with malicious data and the
user defined function might use it in some way with a DOM function and if
your user defined function can't use the DOM or anything then what use is
the user defined function?
Received on Friday, 25 February 2011 03:11:25 UTC