The Madness of AJAX

[mdlbear]

Good talk in the early afternoon sessions, with the fascinating title "The Madness of AJAX". Some good, scary demos. If you have an AJAX app, make sure you validate data *on the server!!* DO NOT trust the client-side code, even if you think you wrote it. Other client-side processes can change it.

Comments

[madfilkentist]

Can you point me at a reference? Some people where I work are getting enthusiastic about Ajax. I distrust anything with JavaScript in it.

[mdlbear]

Slides should be up on the web after the conference, if they aren't already. I'll try to remember to chase down a reference. AJAX is actually potentially very useful; you just have to make sure that your server doesn't blindly trust anything sent back to it by the client. No different from any other CGI; the problem is that a lot of AJAX toolkits are written by programmers who are insufficiently paranoid.

[aerowolf.livejournal.com]

It's exactly the same problem with form data. Just because you wrote the HTML that you sent out doesn't mean that it's going to be the same form's data that comes back. ALWAYS check your input, since the client is BY DEFINITION an untrusted source.

[madfilkentist]

That makes sense to me. But our SOP for bad form data seems to be "Crash in the most obscure way possible."

[aerowolf.livejournal.com]

Crashing in obscure ways isn't a bad thing... as long as you ensure that you crash SAFELY.

You don't want to put untrusted data into the stack unchecked, for example.

[mdlbear]

"Crash in the most obscure way possible" is a bug, whether you're using client-side javascript or not.