• Your Name (unregistered)

    Your Comment

  • William Crawford (google)

    Sounds like they made the button (and probably other UI elements) re-usable with a templating system (PHP). The only real WTF is the escaping, and that's explainable by the mere existence of junior programmers. It's a super quick fix... Just escape it properly.

  • MaxArt (unregistered)

    Any server-side generated JavaScript is pure evil.

    Never do that, guys. Never. The only acceptable thing is setting a variable equal to a serialized JSON, to be used by the actual client-side JS view logic. The rest is a huge NOPE.

    Got there recently when I had to deal with a server-side generated JS that used to build an entire menu, used to look and feel the same in all the subdomains. It injected not only logic, but also HTML and CSS. It was horrible. Even more so because it gave jQuery for granted, while the new application is based on Angular and jQuery is nowhere to be seen...

  • jshell (unregistered)

    Until you've seen copious amounts of client side javascript code generating more client side javascript code you've not truly seen hell.

    scr += "function assignScripts(){\n;"; scr += "var jqscr = document.getElementById("jqueryScript");\njqscr.setAttribute("src","/sysicons/jquery-current.js");\n"; //scr += "alert('load ' + jqscr.getAttribute('src'));\n"; scr += "var sgscr = document.getElementById("sysscript");sgscr.setAttribute("src",MYAWG + "/display/app/sys-remit/js");\n"; scr += "}\n";

  • What? I'm not giving you my name. (unregistered)

    Pretty sure Konstantinos would like to escape this one.

  • (unregistered) (unregistered)

    (unregistered)

  • eric bloedow (unregistered)

    this reminded me of an old book called "hard drive": a programmer who worked on a voice recognition program slipped in several hidden operations that would generate a VIRUS!

  • markm (unregistered)

    What happens when one of those characters is already escaped?

  • P. Wolff (unregistered) in reply to markm

    In a string variable?

    Well, the escape character would be escaped, that's all.

  • Never Roll Your Own Escaping (unregistered)

    Could've been solved with a trivially simple

    var edit_button = <?php echo json_encode(... fetch logic ...) ?>;
    

    Boom. Valid Javascript data value, no "hope I got this right" manual escaping.

  • Deez (unregistered)

    Why are there unicorns on the site?

  • Karl Bielefeldt (github)

    Am I reading that right, that JavaScript sends arbitrary php code to be executed server side? That doesn't seem like a massive gaping security hole, at all!

  • Parametamolcil (unregistered) in reply to P. Wolff

    And then they have to laboriously recapture the escaped characters.

  • staticsan (unregistered)

    Someone needed to read the PHP manual more carefully. It's easy to do all the string escaping in one call to str_replace(). Nesting like that is required in SQL.

  • Hand-E-Food (unregistered)

    When the only tool you have is a melon baller...

  • n0rwin (unregistered) in reply to Karl Bielefeldt

    It's the other way round. The file is being created on the server using PHP. So they use PHP to create JavaScript. Not that big of a security hole. Just ugly.

  • binki (unregistered)

    And that is why json_encode() exists.

  • Anon (unregistered) in reply to Karl Bielefeldt

    Rather the opposite. The results of the server-side code are injected into the client-side javascript. This happens on the server before the page is sent to the client.

  • anon (unregistered)

    I worked on a code base like this. It was the worst. Wordpress plugins getting called by javascript, building scripts with php templates that set up globals for other scripts, ajax into php files, ajax into other scripts. It was a nightmare

  • P. Wolff (unregistered) in reply to MaxArt

    If this only were generated JavaScript it would be hardly more than Purgatory.

    But the article's headline is misleading - this is generated PHP. Client-side generated PHP.

    Ok, I suppose this PHP generating JavaScript was in turn generated by some PHP script.

    (Which might have been created by some VBA script, who knows ...)

  • MaxArt (unregistered) in reply to P. Wolff

    No, it's "classic" generated JS by a PHP script. The PHP part isn't generated. Double generated code is the mental child of an arch-demon. This isn't so bad...

  • (nodebb) in reply to P. Wolff

    No, it's an optical illusion. The PHP is processed on the server, creating strings that are interpolated into the page. It happens that the interpolation occurs within a script, but that's a red herring.

    This isn't specific to PHP. The same effect can occur with ASP, JSP, VTL--any server-processed language that lets you insert strings into HTML pages.

  • cowbert (unregistered)

    Even outside of PHP, most server-side templates allow server-side injection into any part of the page, including javascript. See Django (in fact, in order to make your URLs portable you need to invoke {% url reverse_url_name %}, so you could have both or $.get("{% url some_view %}") even.

Leave a comment on “The Generated JavaScript”

Log In or post as a guest

Replying to comment #490366:

« Return to Article