[erlang-questions] Two beautiful programs - or web programming made easy

Frédéric Trottier-Hébert <>
Thu Feb 17 13:12:37 CET 2011



On 2011-02-16, at 23:26 PM, Edmond Begumisa wrote:

> 
> Apparently, JQuery is super smart how it handles this in relation to possible XSS attacks ... or so I hear. Personally, I don't really see the difference. Frédéric seems more informed here and would be in a better position to explain.

The framework uses the usual DOM functions to manipulate HTML elements.  As an example, you have the .text() and .html() functions to handle text for you. using .html(Val) on some element will allow you to change the HTML inside it. Using .text(Val) will however attach the element with something equivalent to 'document.createTextNode(Val)' (with all compatibility taken in account for all browsers on top of it).

jQuery usually just makes it simpler to use a clean interface, have proper attributes and whatnot, but it does delegate most of the escaping to the browser (and rightly so!). 

Things where jQuery does more than the basic browser are usually on a higher level. As an example, it provides  JSON parsing/handling for $.getJSON calls.  Another example could be the '$.getScript()' method, which allows you to dynamically add a .js file to the page, but with safer escaping than just dumping it in (it does just create a text node, but again, provides the proper abstraction to make it sure you'll be safer).

It is possible to have safe input of data by using the right type of DOM manipulation. It is easier to do it right when you have proper abstractions through libraries or frameworks and whatnot. 

--
Fred Hébert
http://www.erlang-solutions.com



More information about the erlang-questions mailing list