HTML and CSS Reference
In-Depth Information
JavaScript provides built-in functions to evaluate data type. Some functions are provided
directly within JavaScript; others are provided by the jQuery library.
The
isNaN
function provides a way to evaluate whether the value passed into it isn't a
number. If the value isn't a number, the function returns true; if it is a number, it returns false.
If the expected form of data being evaluated is numeric, this function provides a defensive
way to determine this and handle it appropriately:
if (isNan(value)) {
//handle the non number value
}
else {
//proceed with the number value
}
The opposite of the
isNaN
function is the
isFinite
function. The
isFinite
function is used in
the same way but returns true if the value is a finite number and false if it's not.
Being able to validate data is very important as previously outlined. Equally important to
validating the data explicitly is ensuring that data-entry fields prevent users from injecting
script.
Code injection
is a widely discussed topic in website security. The next section discusses
preventing code injection.
Code injection is a technique that attackers use to inject JavaScript code into your webpage.
These attacks usually take advantage of dynamically created content to have additional
script run so that malicious users can try to gain some sort of control over the website. Their
intentions can be many, but among those intentions might be to trick other site users into
providing sensitive information. Depending on the content of the page, different measures
need to be considered.
Protecting against user input
A web application accepting user input opens up a potential attack surface for malicious
users. The size of the attack surface depends on what's done with the entered data. If the
website takes data and doesn't do anything with it outside the scope of the current webpage,
such as send it to another server or store it in a database, the effects are limited to the cur-
rent page and browser session. Little can be accomplished except to disrupt the design of the
website for this particular user. However, if the captured data includes an account creation
form or survey, for example, a malicious user has much more potential to do harm—especial-
ly when that information is later rendered to the webpage dynamically. This inherently allows
anyone to add script to the site, which can open up the site to behavior such as phishing. As a
webpage developer, you need to ensure that all user input is scrubbed of script elements. For
example, don't allow < > text to be entered into the form. Without those characters, a script
block can't be added.
Search WWH ::
Custom Search