views:

299

answers:

2

Hello - I am using jQuery to do some inline form validation during user registration to prevent form errors after posting by checking to see if:

  • username is available
  • email has not already been registered

The idea is to give the user feedback before the form is submitted to prevent frustration. The code is at the bottom.

Questions:

  • Is this a potential security problem? I had the thought that someone looking at my javascript could find the url I am polling for the username/email confirmation and then use it themselves (I don't know why they would do this, but one never knows).
  • If it is, what protections can I implement? I had read a little about cross-site scripting protection but am not sure how it could be implemented in a AJAX request, such as this, or if it is even necessary.

Thanks for your input.

Current Code:

I have defined the following view (which I took from some snippet, but can't recall where):

def is_field_available(request):
    if request.method == "GET":
        get = request.GET.copy()
        if get.has_key('username'):
            name = get['username']
            if User.objects.filter(username__iexact=name) or \
                UserProfile.objects.filter(display_name__iexact=name):
                return HttpResponse(False)
            else:
                return HttpResponse(True)
        if get.has_key('email'):
            email = get['email']
            if User.objects.filter(email__iexact=email):
                return HttpResponse(False)
            else:
                return HttpResponse(True)

    return HttpResponseServerError("Requires username or email to test")

Here is a sample of the jQuery code:

$.get('is-user-name-available/', { email: $(this).val() },
    function(data, status){
        if(data == "True"){
            $input.fieldValid();
        } else {
            $input.fieldInvalid("This email address has already been registered.  Try another or recover your password.");
        }
});

Edit: updated the code and rephrased my questions. [10/07/09]

+1  A: 

See http://www.djangosnippets.org/snippets/771/ - you can restrict your view to ajax requests. The only way to do cross-domain ajax is jsonp which you do not support in your view.

zgoda
Hmm - so, are you saying that by limiting the view to an ajax-only request, someone else wouldn't be able to write a javascript function from *their* site and use it (because I don't support jsonp)? Did I understand correctly? Thanks!
thornomad
Exactly, sir. :)
zgoda
I am going to get right on that! Thanks.
thornomad
+1  A: 

Yes, this is a potential security problem, but not too big one: just make sure that your code is safe, and always returns something that doesn't reveal information that should be hidden.

There's nothing bad if someone will input in browser: example.com/account/verify_username/?username=admin (although I'd suggest to use POST only here)

So what should be done: 1) Verify that there're all parameters you need and they're in a correct format 2) Possibly verify where request came from 3) Make sure you handle all exceptions that can happen in the code 4) Don't forget about unit testing - for that try to place your logic NOT in a view, but in some method :)

Vitaly
Thanks for the response - why would you use POST instead of GET (because, to me, it seems we are "getting" information)?
thornomad
Vitaly