Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it safe to load HTML and js via ajax?

Tags:

javascript

ajax

I'm using the Jquery load function $('#result').load('test.php'); to load a page into another page by clicking a tab. The page I'm loading contains javascript, php, and contains a form. Using the firebug console I saw that there is a GET for all my script sources in the page I'm loading as well. Not sure if that should be a concern..

Can data be hacked via the jquery load? Are there any issues to consider?

note: I'm aware that old browsers don't work with javascript but is there anything else to consider?

like image 945
CyberJunkie Avatar asked Jun 02 '11 00:06

CyberJunkie

People also ask

What should you not use AJAX on?

Use caution and test a small area first on delicate surfaces such as fiberglass, imitation marble, plastics, and enameled appliances. Use plenty of water, rub gently and rinse well. Do not use on silver, fabrics, painted surfaces or plexiglass.

Does AJAX work with HTML?

AJAX is not a programming language. AJAX just uses a combination of: A browser built-in XMLHttpRequest object (to request data from a web server) JavaScript and HTML DOM (to display or use the data)

Is AJAX good for website?

Ajax is a web developer's best friend because it allows lazy loading to be done. Lazy loading is an optimization technique widely used to optimize online content. Ajax lets its users make asynchronous calls without having to reload the entire web page.

Is AJAX still used in JavaScript?

With interactive websites and modern web standards, Ajax is performed using functions within JavaScript frameworks and the Fetch API Standard.

3 Answers

So long as your site isn't compromised, a XHR to your own data is inherently no more dangerous than any other request.

like image 45
alex Avatar answered Oct 18 '22 12:10

alex

Loading content using AJAX does not introduce any additional security issues.

An attacker can hijack the connection and inject his own Javascript (unless you're using HTTPS), but he can also do that to the page itself.

An attacker can exploit an XSS hole in your backend to run his own Javascript, but he can also do that to the page itself.

like image 108
SLaks Avatar answered Oct 18 '22 12:10

SLaks

It really depends on how well you trust the source of the scripts. If you control them then there's no (additional) issue. If you're getting them from somewhere else (like jQuery from Google's CDN, for example) you're trusting that source.

like image 1
Andrew Cooper Avatar answered Oct 18 '22 14:10

Andrew Cooper
Sign in to Comment

Related questions

JavaScript function to return "n" shades of a given color from (dark to light)
How does one use $.deferred properly with non-observable functions?
What is the meaning of __doPostBack function, and when is it used?
AJAX/JQuery success:/error: function manipulation
Where is the Documentation for all of the Javascript HTML Element Constructors?
Check whether a PHP session exists or expired using AJAX
Why do people declare something as null in JavaScript? [duplicate]
Hybrid server-side-java and client-side-javascript charting library?
uncaught exception: Syntax error, unrecognized expression: [href=example.html] [closed]
javascript how to create reference
Why doesn't intellisense work on my ko object?
Stop form submission with submit eventlistener
Regex case insensitive
jQuery variable scope within each
why the $(function () executed always
How to solve error: "undefined is null or not object ie in ext js" in IE?
Jquery/javascript detect click event inside tinymce
Sorting JSON Object
How to preserve global variables in javascript when using Closure compiler with advanced optimization?
Is there a faster (less precise) algorithm than Levenshtein for string distance?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!