XmisterIS
03-09-2012, 01:37 PM
I have written a little bit of javascript which displays a popup div.
The essence of the idea is simple, and works like this:
In the javascript:
function popup(markup)
{
var div = document.createElement("div");
div.innerHTML = markup;
document.body.appendChild(div);
}
And in the PHP:
$markup = "<h3>Help</h3><p>You clicked on help, so here it is.</p>";
echo '<a href="javascript:popup('.htmlentities($markup, ENT_QUOTES).');">help</a>';
Of course, there's a whole load more code (e.g. I have a mechanism for displaying the pop-up near the mouse and for allowing the user to close the pop-up, etc, etc, etc), but that is irrelevant to my question.
Note also that $markup can contain anything I want - e.g. it could contain a form.
Note also that the server populates $markup with predictable content - it is NOT populated by the user.
Are there any security risks inherent in the code as I have posted it? (i.e. barring the fact that $markup could be used for code injection, but I have accounted for that and mitigated against it).
The essence of the idea is simple, and works like this:
In the javascript:
function popup(markup)
{
var div = document.createElement("div");
div.innerHTML = markup;
document.body.appendChild(div);
}
And in the PHP:
$markup = "<h3>Help</h3><p>You clicked on help, so here it is.</p>";
echo '<a href="javascript:popup('.htmlentities($markup, ENT_QUOTES).');">help</a>';
Of course, there's a whole load more code (e.g. I have a mechanism for displaying the pop-up near the mouse and for allowing the user to close the pop-up, etc, etc, etc), but that is irrelevant to my question.
Note also that $markup can contain anything I want - e.g. it could contain a form.
Note also that the server populates $markup with predictable content - it is NOT populated by the user.
Are there any security risks inherent in the code as I have posted it? (i.e. barring the fact that $markup could be used for code injection, but I have accounted for that and mitigated against it).