This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CRV2 ClientSideCodeJScript

From OWASP
Revision as of 18:56, 18 October 2013 by Abbas Naderi (talk | contribs) (JScript security)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Three points of validity are required for Javascript codes:

  1. Have all the logic server-side, Javascript is only the butler
  2. Check for all sorts of XSS DOM Attacks
  3. Check for insecure Javascript libraries and update them frequently.


Javascript uses strings to create DOM elements. This can lead to XSS attacks. All input should be sanitized before being converted to DOM objects.

Javascript libraries are not prone to attack. Most of them have flaws in them, recent jQuery flaw (evaluating the document.location.hash, allowing XSS to be embedded after # in location) caused Drupal (which is generally a safe system) to allow admin user creation for attackers!