Are there other vulnerabilities that could arise from this?
In PHP itself, outputting values to JavaScript requires a different encoding scheme than outputting to HTML. If you don't get it right, you run into the same cross-site scripting issues as if you didn't use htmlspecialchars()
HTML in your PHP generation:
var name= '<?= $name ?>';
<?php
echo "var name='$name';"
?>
Both of these will cause problems if your names contain apostrophes or backslashes. This is one of the few places where the addslashes()
right thing can really be right for you!
Also, you should be aware that JavaScript files can be included with the <script> tag on a different domain, which will usually be denied access to your pages under the Same Origin JavaScript Policy. This will open up cross-site information attacks for you if your script contains user-sensitive data:
<script src="http://www.targetsite.com/script.php" type="text/javascript"></script>
<script type="text/javascript">
alert('Ha ha, I know you are logged in to targetsite.com as user '+name);
</script>
Finally, you have to deal with caching. If your data is very dynamic, you will need to set the no-cache headers in the script response so that browsers don't cache it. On the other hand, for less frequently changing data that you would like to process with expiration, the etags and if-modified-since / not-modified headers so that the browser can cache more efficiently; you don't want 100,000 people to fetch the script over and over again, putting a load on your server, if you can help it.
Caching rights handling can be quite painful, with unusual results when you're wrong.
Taken together, why PHP templates in JavaScript are generally unpopular. For typical use, when the main body of the script is static and the amount of data you have to add is small, it is usually better to template this data in HTML, either in the attributes of related elements, or by hiding them in a comment that can be read from the DOM, or by including inline <script>.
bobince
source
to share