0

In another question, I asked if it was possible to do this:

<script type = "text/javascript" src = "/js/myScipt.js?v=3"></script>

and then get the value of v within myScipt.js using jQuery or JavaScript. Apparently, yes it can be done like so:

var getV = document.currentScript.src.split("?v=")[1];      // JS
var getV =  $('script').last().attr("src").split("?v=")[1]; // jQuery

My new question - Am I creating any kind of security risk that can be exploited by doing this? If so, is there a way to sanitize the value of the queryString to eliminate the risk?

In case it matters, myScript.js uses jQuery to insert some HTML it constructs (some divs and an image) based on some conditionals into the page.

Improve this question
4
  • Is the script tag put in the dom by your code or some third party stuff? Commented Oct 26, 2016 at 13:15
  • The script tag is put in the DOM by myself just before the closing body tag. It is my own script and doesn't use AJAX or otherwise have any interaction with the server. Commented Oct 26, 2016 at 14:36
  • Now you have a user-submitted string in a variable. No security issue in itself. It's what you go on to do with that variable that counts. If you execute it as JavaScript using eval() then clearly you've got a cross-site-script problem. If you write it into HTML markup (eg with innerHTML, $el.html() or document.write()) then you've got an HTML-injection problem also leading to cross-site-scripting. If you construct HTML safely using DOM text and attribute properties then you're fine. Commented Oct 29, 2016 at 11:26
  • @bobince - Thank you for the answer. I think I am OK as I am constructing the HTML safely. Commented Oct 31, 2016 at 14:19

1 Answer 1

Reset to default
2

Well, security is not the word I would use to refer to javascript stuff. All client code is browsable, editable, exploitable. It doesn't really matter what you do in javascript as long as your server code is assuming user input can be forged/corrupted. All javascritp frameworks put a lot of logic in the browser and thus allowing the user to mess with it, and that doesnt mean those frameworks are bad, furthermore request can also be forged, so, short answer is ... security holes are not in your client, but in your server. Your client is "a big hole" by definition and all that comes from it must be treated as dangerous.

What you must ask yourself is: "can the user request/push something from/to the server that will produce an unwanted execution" ? You can let the client-user ask to format your hard drive or retrieve all your user's passwords. Expect that to happen. But... will your server allow it?

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

My script doesn't interact with the server at all, i.e. there are no AJAX requests. It's basically just creates some HTML markup and inserts it into the document. The query string question came up because depending on the value of the query string, the script would use different class names. That being the case, does it sound possible for something malicious to be pushed to the server? I'll be using the script on multiple sites so I figured it's easier to use a query string rather than have a different version of myScipt.js on each site with just a single variable changed in the code.
Having a querystring for serving different script versions doesnt seem sangerous at all. I dont know what your server code does, but if it only reads the value and returns the script you should be fine. Notice users might be able to manually try other querystrings to get the other versions
Thank you for the response. The query string will basically just change the HTML that I construct with jQuery. For example, "myScript.js?v=full" might use a Bootstrap ".container-fluid" class while "myScript.js?v=container" might use the ."container" class instead. The query string would depend on the layout of the site that I'm using it on. That's a simple example, but it basically describes what I'm trying to do.
I see. Security concerns regarding javascript come in many flavours. I think the topmost concerns have to do with 1. Using eval() for stuff that is in some way loaded from user input 2. javascript driven ui's in which the user might be able to alter the program's execution in a way that he/she will be able to trick the server into executing or getting protected code/data. This is not the issue in your case
Thank you for the explanation and sorry for missing it earlier. That all makes sense to me and I feel better about doing it and not creating a security risk. Thanks again!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.