javascript - Security issues with reading a JS array? -

-

i'm building website have js multi-dimensional array in .js file in scripts folder on server. in array video embed codes (vimeo iframes) , additional strings composers, players , piece names. there 1000 videos in array.

var videos = [ ['embed code', 'composer name', 'player name', 'piece name'], ['embed code', 'composer name', 'player name', 'piece name']...];

there search text box users specific searches composer, player, etc. jquery script iterate through each inner array find matches user's query , present them on page. this:

function getarray(video) {      if (campyear === video[j]) {        var pos = video.indexof(video[j]);                           $('#searcharea').append('<td>' + video[(pos - pos)] + '</td><td><h3>composer: ' + video[(pos -pos) + 1] + '</h3><br><h3>player: ' + video[(pos - pos) + 2] + '</h3><br><h3>piece: ' + video[(pos - pos) + 3] + '</h3></td>');      }        else          noresultcount++;                            if (campyear === video[j] && count % 2 === 0)         $('#searcharea').append('</tr><tr>');        if (campyear === video[j])         count++;        if (i === videos.lenght && j === 4)         $('#searcharea').append('</table>');        if (noresultcount === videos.length * 5)          $('#searcharea').html("<h4>no results found " + yearvalue + " " + buttonvalue + ". not camps have videos every year.</h4>");         $('#searcharea').fadein(500);      } // end of getarray() ... ... ...  (i = 0; < videos.length; i++) {         (j = 0; j < 5; j++) {         getarray(videos[i]);                    }       }

i know there security issues traditional sql databases , php need considered, in case should concerned threats data or website? thought script can read data , print there wasn't do, i'm not sure. data isn't sensitive.

thanks time.

the issue if can alter file before gets read in, can inject javascript code it. 1 way alter file hack server, taking on proxies don't have touch machine @ all. they have somehow trick clients going through proxy, can't stop happening.

the easiest fix use json file instead of javascript file. json's syntax close syntax used js literals: far can see example, changes you'd need make file rid of "var videos =" @ start , swap single-quotes double-quotes. in code, exchange whatever works effect:

// assume getjs() grabs javascript file // , returns string text of file. var videocode = getjs(); eval(videocode);

...for works this:

// assume getjsondata() grabs json // , returns string text of file. jsondata = getjsondata(); var videos = json.parse(jsondata);

note we're using json.parse (which has polyfills old browsers) instead of eval. because puts code through dedicated json parser instead of javascript one. json doesn't know how deal code, if attacker tries inject code changing file, changed code won't work, because json won't know it. don't want app stop in middle, it's better letting attacker take over.


Comments

Post a Comment

Popular posts from this blog

python - mat is not a numerical tuple : openCV error -

-
i have write down code showing error ma not getting it: please help: showing mat not numerical tuple: import cv import cv2 capture = cv2.videocapture("j.3gp") while(1): _, frame1 = capture.read() grayimage1 = cv2.cvtcolor(frame1, cv2.color_bgr2gray) _, frame2 = capture.read() grayimage2 = cv2.cvtcolor(frame2, cv2.color_bgr2gray) differenceimage = cv2.absdiff(grayimage1,grayimage2) thresholdimage = cv2.threshold(differenceimage,25,255,cv2.thresh_binary) cv2.imshow("difference image", differenceimage) cv2.imshow("threshold image", thresholdimage) cv2.imshow("image", frame1) k = cv2.waitkey(30) & 0xff error arising : ----------------------------------------------------------------------------------------- traceback (most recent call last): file "desk.py", line 15, in <module> cv2.imshow("threshold image", thresholdimage) typeerror: mat not numerical tuple
Read more

c# - MSAA finds controls UI Automation doesn't -

-
i'm working on automating windows application. i'm using teststack white framework. i've hit problem. program has 'window' object cannot see inside of. white shows no controls inside of it. inspect.exe shows no controls inside of either when running in ui automation mode. if switch inspect msaa see controls inside fine. there anyway me use msaa c# handle on these controls? if can identify msaa functions need, can use p/invoke call them c#. here's example article doing msaa: http://www.codeproject.com/articles/38906/ui-automation-using-microsoft-active-accessibility also, pinvoke.net can used identify iaccessible (msaa) functions: http://www.pinvoke.net/search.aspx?search=iaccessible&namespace=[all] here's answer along lines: msaa com-based? finally, alternative p/invoke, might able use tlbimp.exe create wrapper assembly oleacc.dll, , access msaa functions through it. i'm not sure if works msaa, it's worth try. as e
Read more

wordpress - .htaccess: RewriteRule: bad flag delimiters -

-
pulling hair out on one. have following .htaccess file custom redirects in addition wordpress's default settings. when tested on local wamp server worked fine after moving production i'm not getting rewriterule: bad flag delimiters error in server log , after while site goes down internal server error any appreciated. in advance! <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^rockford_weddings___welcome\.html$ /wedding/ [r=301,l] rewriterule ^blog/?$ /journal/ [r=301,l] rewriterule ^blog/(.*)$ /$1 [r=301,l] rewriterule ^portraitinvestment/?$ /portraitinvestment\.pdf [r=301,l] rewriterule ^weddinginvestment/?$ /weddinginvestment\.pdf [r=301,l] rewriterule ^holidaycards2014/?$ /holidaycards2014\.pdf [r=301,l] </ifmodule> # begin wordpress <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^index\.php$ - [l] rewritecond %{request_filename} !-f rewritecond %{request_filename} !-d rewriterule . /index.php [l] </
Read more