mlse
03-31-2008, 03:02 PM
Hi all,
I am writing a little bit of test code to enable PHP to pass arrays back to javascript, as follows:
E.g. of PHP code:
$values = array("apple", "pear", "orange");
echo to_javascript($values); //in this case the string "['apple', 'pear', 'orange']" is generated.
And handling in AJAX:
http.onreadystatechange = function()
{
if (http.readyState == 4)
{
var $response = eval(http.responseText); /* Security hole? */
}
}
I can imagine that any old thing could be injected into http.responseText (and subsequently eval'd) in the javascript that I've posted. Does the code injection threat really exist and if so, how can I mitigate against it?
I am writing a little bit of test code to enable PHP to pass arrays back to javascript, as follows:
E.g. of PHP code:
$values = array("apple", "pear", "orange");
echo to_javascript($values); //in this case the string "['apple', 'pear', 'orange']" is generated.
And handling in AJAX:
http.onreadystatechange = function()
{
if (http.readyState == 4)
{
var $response = eval(http.responseText); /* Security hole? */
}
}
I can imagine that any old thing could be injected into http.responseText (and subsequently eval'd) in the javascript that I've posted. Does the code injection threat really exist and if so, how can I mitigate against it?