Using PHP as a Javascript File - Security?
What are the problems with using php file instead of .js file in javascript include;
<script type='text/javascript' src='myjavascript.php'></script>
Obviously I will go through and run global registry issues and so on, but are there any other vulnerabilities that could arise from this? Note that 100,000 people will view the page using this script.
source to share
Are there other vulnerabilities that could arise from this?
In PHP itself, outputting values to JavaScript requires a different encoding scheme than outputting to HTML. If you don't get it right, you run into the same cross-site scripting issues as if you didn't use htmlspecialchars()
HTML in your PHP generation:
var name= '<?= $name ?>';
<?php
echo "var name='$name';"
?>
Both of these will cause problems if your names contain apostrophes or backslashes. This is one of the few places where the addslashes()
right thing can really be right for you!
Also, you should be aware that JavaScript files can be included with the <script> tag on a different domain, which will usually be denied access to your pages under the Same Origin JavaScript Policy. This will open up cross-site information attacks for you if your script contains user-sensitive data:
<script src="http://www.targetsite.com/script.php" type="text/javascript"></script>
<script type="text/javascript">
alert('Ha ha, I know you are logged in to targetsite.com as user '+name);
</script>
Finally, you have to deal with caching. If your data is very dynamic, you will need to set the no-cache headers in the script response so that browsers don't cache it. On the other hand, for less frequently changing data that you would like to process with expiration, the etags and if-modified-since / not-modified headers so that the browser can cache more efficiently; you don't want 100,000 people to fetch the script over and over again, putting a load on your server, if you can help it.
Caching rights handling can be quite painful, with unusual results when you're wrong.
Taken together, why PHP templates in JavaScript are generally unpopular. For typical use, when the main body of the script is static and the amount of data you have to add is small, it is usually better to template this data in HTML, either in the attributes of related elements, or by hiding them in a comment that can be read from the DOM, or by including inline <script>.
source to share
No, the server will parse it just like any other PHP file.
The file will be received by an HTTP request just like any other web page. If you enable it with <script>
, it will be retrieved with a GET request, but that won't stop it from being curious about using POST. You should use the same precautions that you would in any other PHP script - no more, no less.
As far as the browser is concerned, it's just javascript - it doesn't know it's generated by PHP, so there aren't any additional features to consider there.
As long as you don't leave a way to insert the javascript into the file, you should be fine. Just don't trust the ins and outs.
source to share