Skip to main content

Bug Tracker

Side navigation

#2567 closed feature (fixed)

Opened March 20, 2008 06:16AM UTC

Closed May 16, 2008 04:40PM UTC

$.ajax should allow filtering JS and JSON responses to remove security measures

Reported by: eventualbuddha Owned by: flesler
Priority: major Milestone: 1.2.4
Component: ajax Version: 1.2.3
Keywords: security Cc:
Blocked by: Blocking:
Description

Responses that contain executable JS or even bare JSON may pose a security risk when a malicious site requests such things via a

<script>
tag (see http://www.fortify.com/servlet/downloads/public/JavaScript_Hijacking.pdf).

To compliment a server-side JS/JSON mechanism, I propose that jQuery allow users to specify a filter that will remove whatever is added to the payload to render it safe for

<script>
tags. Popular methods are prepending
while(1);
and wrapping the response in a comment. In this patch I've gone with the latter, using a filter identical to the one Prototype uses. Users are free to choose their own, as it is simply a regular expression. Here is an example of the wrapped JSON:

/*-secure- { "data": {"lang": "en", "length": 25} } */

I'm not super-familiar with jQuery, so there may be problems with this patch, particularly with regard to the tests, so please modify to suit whatever guidelines I missed.

Attachments (2)
Change History (5)

Changed May 15, 2008 08:41PM UTC by flesler comment:1

type: enhancementfeature

I'd prefer a function, that receives a string, and returns a string.

That gives more flexibility than a regex. One could simply sanitize the response from possible injection

Changed May 15, 2008 09:08PM UTC by flesler comment:2

owner: → flesler
status: newassigned

Changed May 16, 2008 12:43AM UTC by brandon comment:3

I like the idea of using a function but wonder if we should provide an optional, default function for developers to utilize... hopefully making it that much easier to make their JSON feeds more secure.

Changed May 16, 2008 03:17PM UTC by flesler comment:4

need: ReviewCommit

So.. commit ?

Changed May 16, 2008 04:40PM UTC by flesler comment:5

resolution: → fixed
status: assignedclosed

Added the possibility to use a parsing function by the name of 'dataFilter' at [5620].