tags:

views:

218

answers:

3
+5  Q: 

Do you have any security concerns when it comes to JQuery plugins?

Hello all,

I am curious as to what, if any, security concerns other develpers have in regards to the use of JQuery plugins. I have seen very little talk about security where JQuery is concerned. Is it really a non issue?

Appreciate your thoughts!

+7  A: 

Personally I am comfortable enough with Javascript to be able to swiff through the plugin code and understand possible misbehavior.

What I look for is the most relevant security issue with javascript, cross-domain communication, which is usually done with the creation of iframes, script/img tags etc..

Most of the times though, I trust the community, for example if it's up on http://plugins.jquery.com/ it is usually a trusted source.

Luca Matteis  2009-02-10 20:33:44
A: 

The most popular ones are used all over the web on major web sites. If there is a security concern, someone else has probably already noted it. Also, a lot of the most-used jQuery plug-ins come from the same developers who are very active in the community, so it's fairly safe to trust them. (Jörn Zaefferer, the guy who did the validation plug-in, comes to mind)

Granted, it's a good idea to always test and always be skeptical, but at some point it becomes cost inefficient to worry too much.

Stuart Branham  2009-02-10 20:37:06
+2  A: 

jQuery can't do anything that javascript itself can't do, so all the same security standards apply. Basically - never rely on it for security. Always validate all inputs on the server side.

The best way to think of it is that from a security perspective, the client-side javascript is not actually a part of your application. Your application consists of all the possible http calls to your server. For good security, assume that hackers won't even be using a browser - they'll be making http requests directly to your server. Make sure that you aren't exposing any vulnerabilities in your http endpoints, and you should be ok.

note: I made the assumption in this reply that you're talking about data and system security. User security (preventing your users from being phished, etc) is another kettle of fish, but I'm not sure it has to do with jQuery any more than javascript in general.

levand  2009-02-10 20:39:23
I believe the concern was with malicious code being planted in a jQuery plugin. That's something that could happen with any Javascript library, but not something that could happen if you're going commando.
Stuart Branham  2009-02-10 20:47:28

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?