使用PHP交付JavaScript是否安全?
[英]Is it safe to use PHP to deliver JavaScript?
问题描述
I'm using the following: 
我正在使用以下内容:
<script type="text/javascript" src="/php/dictionary.php">
</script>
dictionary.php is a PHP Script that outputs JavaScript code. dictionary.php是输出JavaScript代码的PHP脚本。 The reason I am using dictionary.php to generate JavaScript is that certain values in JavaScript depends on the Locale & User. 我使用dictionary.php生成JavaScript的原因是JavaScript中的某些值取决于语言环境和用户。
I was wondering if this technique is as safe as using Javascript file directly? 我想知道这种技术是否像直接使用Javascript文件一样安全?
2 个解决方案
解决方案1
3 2012-07-17 18:01:20
No, it's not safe as you want different scripts for different users. 不,这是不安全的,因为您希望为不同的用户使用不同的脚本。 The script will be cached, so a user may get the script for a different user who was logged in on the same computer earlier. 该脚本将被缓存,因此用户可能会获得先前登录同一台计算机的其他用户的脚本。
If you need it to be safe, generate a code for the logged in user, and send that in the querystring when you request the script, so that you can verify that the correct user gets the script. 如果需要安全性,请为登录的用户生成一个代码,然后在请求脚本时在查询字符串中发送该代码,以便您可以验证是否有正确的用户获取了该脚本。 As the URLs will be different, the will also be cached separately. 由于网址会有所不同,因此也会分别进行缓存。
解决方案2
1 2012-07-17 17:48:02
Javascript will only affect the client-side. Javascript仅会影响客户端。 Unless you are exposing client-side operations that affect other users in the .php file, in which case cross-site scripting may be abused, it should be fine. 除非您在.php文件中公开影响其他用户的客户端操作,否则这种情况下跨站脚本可能会被滥用,这应该没问题。
Reference : http://en.wikipedia.org/wiki/Cross-site_scripting 参考 : http : //en.wikipedia.org/wiki/Cross-site_scripting
This is safe as any potential exploit they may pursue would only affect the client-side, given that all server-side files called from the Javascript are patched for security as well. 这是安全的,因为考虑到从Javascript调用的所有服务器端文件也已修补以确保安全性,他们可能追求的任何潜在利用都只会影响客户端。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.