Re: CSP : inline functions ?

On 25 February 2011 02:35, Devdatta Akhawe <> wrote:

> The general issue that your php/perl server side scripts knows a few
> values at runtime while generating the javascript code. Trivially
> <script>
> var important_variable = '<?php echo $value_returned_from_sql; ?>'
> // lots of javascript code
> </script>
> can be turned to
> var foo=function foo(important_variable){. ... all javascript code ... }
> the latter can go in external script, or in the head or wherever. The
> point is that you can then call it from the php script as
> <script>foo('<? echo $value_returned_from_sql; ?>');</script>

Trouble is "important_variable" could be tainted with malicious data and the
user defined function might use it in some way with a DOM function and if
your user defined function can't use the DOM or anything then what use is
the user defined function?

Received on Friday, 25 February 2011 03:11:25 UTC