开发者

Ajax XML issues with XSS validation

While using Ajax in web applications we use XML to transfer the data between server and client. However XSS validation comes into picture, So questions are, 1. Is passing XML like this is correct? 2. Are we exposed to security issues if we turn off XSS validation? 3. Can passing Ajax request with header (content-type = application/xml) solve this problem ?

JSON is also good approach to transfer t开发者_开发问答he data but that to invoke XSS. So what is correct and incorrect? Suggest some good practices. Please provide your input for the same. Thanks,


I prefer using JSON for this; much more lightweight than XML, and since it is a javascript object it becomes trivial to make use of the data returned in your event handler. Just be careful not to eval() your JSON object as this compromises security - see When is JavaScript's eval() not evil?

As for the XSS protection, it is there for good reason. I take it from your post that the client code is hosted on a different domain to the datasource? XSS protection only comes into effect if that is the case. You might want to look into JSONp which has been developed for this scenario, though it too carries it's own set of security concerns: http://en.wikipedia.org/wiki/JSON#JSONP

Hope this helps,

JS

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜