Bug Tracker

Opened 12 years ago

Closed 12 years ago

#2567 closed feature (fixed)

$.ajax should allow filtering JS and JSON responses to remove security measures

Reported by: eventualbuddha Owned by: flesler
Priority: major Milestone: 1.2.4
Component: ajax Version: 1.2.3
Keywords: security Cc:
Blocked by: Blocking:

Description

Responses that contain executable JS or even bare JSON may pose a security risk when a malicious site requests such things via a <script> tag (see http://www.fortify.com/servlet/downloads/public/JavaScript_Hijacking.pdf).

To compliment a server-side JS/JSON mechanism, I propose that jQuery allow users to specify a filter that will remove whatever is added to the payload to render it safe for <script> tags. Popular methods are prepending while(1); and wrapping the response in a comment. In this patch I've gone with the latter, using a filter identical to the one Prototype uses. Users are free to choose their own, as it is simply a regular expression. Here is an example of the wrapped JSON:

/*-secure- { "data": {"lang": "en", "length": 25} } */

I'm not super-familiar with jQuery, so there may be problems with this patch, particularly with regard to the tests, so please modify to suit whatever guidelines I missed.

Attachments (2)

json_with_security.diff (3.0 KB) - added by eventualbuddha 12 years ago.
ajax-filter.diff (1.1 KB) - added by flesler 12 years ago.

Download all attachments as: .zip

Change History (7)

Changed 12 years ago by eventualbuddha

Attachment: json_with_security.diff added

comment:1 Changed 12 years ago by flesler

Type: enhancementfeature

I'd prefer a function, that receives a string, and returns a string. That gives more flexibility than a regex. One could simply sanitize the response from possible injection

comment:2 Changed 12 years ago by flesler

Owner: set to flesler
Status: newassigned

Changed 12 years ago by flesler

Attachment: ajax-filter.diff added

comment:3 Changed 12 years ago by brandon

I like the idea of using a function but wonder if we should provide an optional, default function for developers to utilize... hopefully making it that much easier to make their JSON feeds more secure.

comment:4 Changed 12 years ago by flesler

need: ReviewCommit

So.. commit ?

comment:5 Changed 12 years ago by flesler

Resolution: fixed
Status: assignedclosed

Added the possibility to use a parsing function by the name of 'dataFilter' at [5620].

Note: See TracTickets for help on using tickets.