in reply to execute JS in http response in perl

It's usually not a good practice for the server to send JS to be blindly executed on the client side. Anyone could send anything and it would be blindly executed on the client side . . .
  • Comment on Re: execute JS in http response in perl

Replies are listed 'Best First'.
Re^2: execute JS in http response in perl
by tobyink (Canon) on Jul 24, 2012 at 14:00 UTC

    Nonsense, this is how all browsers work - they blindly execute incoming scripts. I'm not saying there have never been any security issues doing this, but they've been few and far between. Why? Because the Javascript environment provided by browsers don't expose any potentially harmful system calls. For example, there does not exist a function in browsers' Javascript APIs which deletes a file from the filesystem.

    Of course, non-browser implementations of Javascript may expose whatever additional system functionality they like.

    perl -E'sub Monkey::do{say$_,for@_,do{($monkey=[caller(0)]->[3])=~s{::}{ }and$monkey}}"Monkey say"->Monkey::do'
[reply]
Re^2: execute JS in http response in perl
by moritz (Cardinal) on Jul 24, 2012 at 16:21 UTC

    This is why browsers sandbox the javascript they receive from all servers, so that it can't open files from the file system, fork processes, change the browser's GUI etc. These days many browsers even prevent javascript from opening new browser windows.

    So when you write Perl code that executes Javascript, you should make sure it's also sandboxed the same way.

    Perl 6 - the future is here, just unevenly distributed
[reply]

In Section Seekers of Perl Wisdom