life kills everyone, let's destroy it. lol a lil too exaggerated right :P
pretty nice presentation, but even though javascript has some security problems when used on the browser its mainly a developers problem, same thing with other languages, just open every remote file and eval it on ruby, php java or any language you choose, you get the same vulnerabilities. i think the right solution its givving developers the right information and try to push the browsers and ecma to provide developers with more robust tools for sandboxing. On Jan 30, 2011, at 6:20 PM, Chris Heilmann wrote: > On 31/01/2011 00:10, Poetro wrote: >> This is not the problem of the language, but the interpretation and >> adding scripts to the web page, in case of browser usage. If there >> could be only one JavaScript tag on the page, and that could load the >> external scripts, it would be more secure IMHO. Then none could inject >> script tags to the page without previous notice of the site developer. >> Oh, and also kill document.write as it is not secure and slow. But >> these are mainly issues of the BOM / DOM not the language itself. >> > To a degree. One of the main issues is also people not properly escaping the > URL data - when you print out ANYTHING in the page with echo in your PHP > without filtering input you can inject things. The main access point is what > comes in, and then we have the issue that JS allows for much more. > > The ability to mutate JS objects and especially arrays is a very powerful > thing and anything that is powerful can be abused. > > As with any security issues, a lot of the JS attacks are based on not > understanding the technology you apply. People just add scripts nilly-willy > as they do something cool, much like people use WordPress plugins that need > you to make folders write and executable. > > Saying a language makes it easy to create insecure apps means first and > foremost that it is too easy to achieve results without understanding the > effects your code has. This is one of the reasons this list exists ;) > > -- > To view archived discussions from the original JSMentors Mailman list: > http://www.mail-archive.com/[email protected]/ > > To search via a non-Google archive, visit here: > http://www.mail-archive.com/[email protected]/ > > To unsubscribe from this group, send email to > [email protected] -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
