Re: CSP : inline functions ?

On 2/24/11 6:35 PM, Devdatta Akhawe wrote:
> var foo=function foo(important_variable){. ... all javascript code ... }
> the latter can go in external script, or in the head or wherever. The
> point is that you can then call it from the php script as
> <script>foo('<? echo $value_returned_from_sql; ?>');</script>
> Are you convinced that this might make porting easier (ignoring
> whether it has better security than enabling inline scripts) ?

It'd be equivalent and just as easy (and as prone to XSS) to bury
the important variable in a custom HTML tag and pull the value out
when you need it.

  <mytag id="sql_stuff" value="<PHP-code-here>" />

then later in script (externally loaded, static)


-Dan Veditz

Received on Friday, 25 February 2011 06:11:45 UTC