Save State - Cookie Eval and Script Injection Vulnerability

Save State - Cookie Eval and Script Injection Vulnerability

JamesJohnsonJamesJohnson Posts: 4Questions: 0Answers: 0
edited March 2009 in General
Sorry I didn't post a couple of weeks ago when I was trying out the beta. If the new Save State feature is enabled, it looks like _fnLoadState does an Eval on the cookie right off the bat so as to read object properties rather than tediously parse the string. That's probably not a good idea on the Internet though because it's vulnerable to script injection yah? Since the cookie data is JSON friendly, I'd probably use JSON2 to parse() it. I think it does eventually use Eval itself, but first it verifies the JSON is well formed and function free. (Is there a built-in jQuery way to do that? w/o including JSON2)? The soulless fiends could still through off your values, but I'm guessing that'll just precipitate an error soon enough if it's not convenient to go ahead and validate the upper and lower bounds of the various settings.

Has anyone used one of those end-to-end "guardian angel" solutions that promise to magically relieve developers of such burdens? I want to believe...




  • allanallan Posts: 57,236Questions: 1Answers: 9,113 Site admin
    Hi James,

    Indeed you are right - I do use an eval to do this (slaps self on wrist). I did this because jQuery doesn't provide a method by which to safely evaluate a string (indeed it uses "window["eval"]("(" + data + ")");".....).

    What I've done is to put in a check for the JSON object, and use that if it is available. If not then it will continue doing what it currently do (such that DataTable's does not depend on another library). So if you want to ensure security - just include the json2.js file.

    This change will be released with 1.4.1 (likely tomorrow).

  • JamesJohnsonJamesJohnson Posts: 4Questions: 0Answers: 0
    Groovy, thanks again Allan!
This discussion has been closed.