1. Some jQuery bugs

    by Arjun Sreedharan

    jQuery is probably the best thing to have happened to an otherwise lousy language JavaScript. Just a couple of things I felt that doesn’t fare well with jQuery.

    XSS !!!

    Suppose you want to create an HTML element on the fly, you could use the $() method and pass to it a string that looks like HTML.
    If the string matches the regex for an HTML tag, then the string is internally passed to the $.parseHTML() method.

    So, I could create a div like:

    var $mainDiv = $("<div class='main-div'></div>");

    What if a scripts is passed as an event attribute:

    $("<img src=x onerror=alert(/hacked/)></img>");

    Here’s what happens:

    The onerror event was fired just when the node was created. I could pass any malicious script here instead of the alert, which would then be run immediately. Busted!!

    What if I give a valid url for the src attribute.
    A GET request is immediately sent to the url.

    What if you are logged in, and given the src path meets the cookies’ restrictions,
    you are sending off your cookies as well.
    Busted again!!


    The .data() method:

    Now, I am going to attach some data to my body element:

    $("body").data({"my-fav": 7});

    Let me try see if the data’s set.



    Well, 7 is no more my favorite number, I should change it to 5.
    Here, I go:

    $("body").data("my-fav", 5);

    Now let me check if it’s there:


    Oops !! It hasn’t changed.

    Let me have a look at all the data the node has:

     >>Object {my-fav: 7, myFav: 5}

    If I remove the hyphen and cameCase the key:


    But "myFav" isn’t what I asked for !!

  2. Disclaimer: The views expressed here are solely those of the author in his private capacity and do not in any way represent the views of the author's employer or any organization associated with the author.

Interesting Things:

Recent Posts:
Simplicity is the ultimate sophistication. (Leonardo Da Vinci)
Arjun Sreedharan 2013