On Sun, 13 Mar 2011 15:53:59 -0000, Jarek Foksa <[email protected]>
wrote:
So, security-wise, why would it matter whether eval() or any other
obscure code is used on the client side?
It's XSS. Client-side security is not important for integrity of your
server, but it is important for your users (if have logins and use
sessions, then this has to be protected on client-side too).
If your JS evals something that comes from URL or some user input echoed
by the server, then attacker could run code that sniffs forms, steals
cookies, CSRF protection tokens, fetches users' private data via AJAX —
basically hijack user's session and make any requests in their name.
--
regards, porneL
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
