From the OWASP AJAX security cheat sheet:
Eval is evil, never use it. The need to use eval usually indicates a problem in your design.
I understand that
evaluateIf the unreliable JS code can lead to a world of pain, I do not understand the category of the OWASP ban.
The way I understand things is perfectly possible to use
evaluate safely, that is, when the
evaluateThe code is trustworthy.
I am developing a web game application (game) in my free time (not yet published). In this application I use
evaluate. Although this is a unique page, sometimes I feel it is easier to have the server send HTML code fragments to the browser instead of the browser building the page from scratch. So this is what I am doing:
- Have the browser start an XMLHttpRequest on the server for a page fragment;
- Load the received HTML code (this implies
internalHTML, which by the way is another thing that OWASP warns them again)
internalHTMLdo not execute the JS code present in the assigned fragment, look for the HTML code loaded to
By doing this, I clearly violate the OWASP guidelines. However, I do not see that this is less secure than normal when loading an HTML / CSS / JS page from the server without AJAX, simply by typing the address of the page in the browser's address bar. In both cases (loading the page from the address bar vs
internalHTML& # 39; ing and – gasping! –
evaluateIn the case of the response of an AJAX call to the server, there is an implicit assumption of trust in this web page. If the server is compromised and starts issuing malicious HTML / JS codes, everyone is equally wrong, even if there is no evil.
evaluate is used Otherwise, they are all equally safe.
However, I know that I am not an expert, I am likely to have a very limited understanding and that if OWASP categorically prohibits something, it is likely that they have good reasons for it. Let me ask you then, what are the risks of doing what I described?