The ultimate method for ensuring top-notch security in JavaScript JSON Inline practices

Utilizing varnish+esi, I am able to retrieve external json content from a RESTFul API. This approach allows for efficient request management and data refreshing without burdening the webserver with each individual request.

For example:

<head>
.... 
<script> 
 var data = <esi:include src='apiurl/data'>;
</script>
...

Upon including the ESI, Varnish will return:

 var data = {attr:1, attr2:'martin'};

While this method works well, it may encounter parsing errors if the API responds with an error message.

var data = <html><head><script>...api js here...</script></head><body><h1 ... api html ....

To resolve this issue, I implemented a hidden div to manage and capture any potential errors:

...
<b id=esi-data style=display:none;><esi:include src='apiurl/data'></b>
<script>
  try{
    var data = $.parseJSON($('#esi-data').html());
  }catch{ alert('manage the error here');}
....

I also experimented with using a script type text/esi, but encountered issues where the browser would render the HTML within the script tag (strange behavior), as seen here:

<script id=esi-data type='text/esi'><esi:include src='apiurl/data'></script>

Question:

Is there a way to encapsulate the esi:include tag to prevent the browser from parsing it?

javascriptjsonparsingvarnishesi

Answer №1

Allow me to elaborate on the suggestion I mentioned regarding using an iframe in my previous comment—it's not as straightforward as you may think!

The concept is quite similar to what you're already doing, but instead of utilizing a regular HTML element like a div, you incorporate an iframe.

<iframe id="esi-data" src="about:blank"><esi:include src="apiurl/data"></iframe>

var $iframe = $('#esi-data');

try {
    var data = $.parseJSON($iframe.html());
} catch (e) { ... }

$iframe.remove();

#esi-data { display: none; }

How does this differ from your solution? There are two key distinctions:

  1. Your visitors truly cannot see the data/error page. An iframe follows an embedded content model, which means any content within the <iframe>…</iframe> tags gets entirely replaced in the DOM—but you can still access the original content using innerHTML.

  2. It adheres to HTML5 standards... somewhat. In HTML5, content inside iframe elements is treated as text. While it should technically be parseable as a fragment and only contain phrasing content (with no script elements!), it is essentially interpreted as text by both validators and browsers.

  3. Scripts within the error page will not execute. The content is parsed as text and replaced in the DOM with another document—eliminating any possibility for script elements to run.

Check it out live here. If you disable the line where I remove the iframe element and inspect the DOM, you'll observe that the HTML content is substituted with a blank document. Additionally, note that the embedded script tag remains inactive.

Important: while improbable, this approach could potentially fail if the third party introduces an iframe into their error page for any reason. To enhance this method's resilience, consider combining your method with another: encase the iframe in a hidden div that you delete once parsing is complete.

Answer №2

Here's another approach I can suggest.

While the solution you currently have may be the best option, one alternative method could involve using a less efficient way of calling esi:insert in a separate HTML window, then fetching the contents similar to how AJAX works on the server side. This process might resemble something like what is described in this article. You could then examine the retrieved contents, possibly using json_decode, and return an error JSON string upon success.

The main drawback I foresee with this approach is that it could be resource-intensive and potentially slow down requests since the separate page would need to be fetched as if your server was acting as a client, parsed, and then returned.

In my opinion, it might be best to stick with your current solution.

Answer №3

This particular issue presents a complex challenge with no straightforward solution, and in some cases, no solution at all.

I inquired about whether the document was HTML(5) or XHTML(5) because in the latter scenario, using a CDATA section to encapsulate the content could alter your approach slightly. The revised solution might look something like this:

...
<b id='esi-data' style='display:none;'>
    <![CDATA[ <esi:include src='apiurl/data'> ]]>
</b>
<script>
    try{
        var data = $.parseJSON($('#esi-data').html());
    }catch{ alert('manage the error here');}
....

This solution is effective if:

  1. You are utilizing XHTML5
  2. The error does not contain a CDATA section (as nesting CDATA sections is not possible).

I am uncertain if transitioning from one serialization to another is feasible, but I wanted to clarify the intention behind my question. Hopefully, this clarification will assist you in resolving the issue :).

Answer №4

Have you considered updating your API so that it returns JSON { "error":"error_code_or_text" } in case of an error? By doing this, you could enhance user experience by providing alerts for errors directly in the interface.

Answer №5

<script>var info = 555;</script>

<script>
info = <esi:include src='apiurl/info'>;
</script>

<script>
if(info == 555) alert("Oops, something went wrong");
</script>

If an error occurs and "info" is not in JSON format, a javascript error will be triggered. The following script block will handle this situation.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Choose components identified by a dot

If I have a simple script that displays an element based on the option selected, how can I handle periods in the values? For instance: <select id="my-selector"> <option value="cat.meow">Cat</option> <option value="dog.bark"> ...

javascriptjqueryelement

Regular expression for substituting values in a JSON string

Does anyone have a regular expression that can be used to identify all the numbers in a JSON string and enclose them in double quotes? For instance, in the JSON string below, I aim to enclose the Id and Phone values in double quotes. String jsonString = ...

javajsonregex

What is the best way to add a bootstrap file to my ejs templates?

I recently installed bootstrap using npm with the command 'npm -bootstrap@3'. However, when attempting to include the bootstrap.min.css file from node_modules in my application, I encountered an error message on my console. Here is a screenshot o ...

javascriptcssnode.jstwitter-bootstrapejs

What is the best way to sort through observable JSON file responses?

In the midst of my angular project, I have been assigned the challenge of filtering a massive file based on the "_type" key, which can hold various values. My current objective is to initiate the filtration process for _type = "COMPETITION". The structure ...

arraysjsonangulartypescript

Encountering a bug that states "TypeError: Cannot read properties of null (reading 'useState')" while trying to use useState in a react application

I'm working on incorporating useState into my Next.js app, but I encountered an error as soon as I added the line of code to initialize useState. The popup error message reads: TypeError: Cannot read properties of null (reading 'useState') ...

javascriptreactjsnext.jsuse-state

Easily convert grams to kilograms with just a click of a button using JavaScript

Enter Grams(g): <input type="text" name="grams" id="grams"><br> <br> <button type="button" onclick="kiloConversion()">Convert to Kilogram</button> <p id="conversionResult"></p> ...

javascripthtml

What is the best way to control the class name of elements using jQuery in an MVC4 application?

Among the <li> elements, one of them contains the class "current". Determining which <li> is the current one. View below: @{ int k = 10; //the value changes with each request } <ul class="car"> @foreach (var item in modelCoun ...

javascriptjqueryasp.net-mvchtml-lists

What is the best way to determine the total number of classes that come before a specific element

Currently, this is my approach: <script> function Answered(str) { var script = document.getElementsByClassName('Answered')[str]; if(script!==null) {script.setAttribute("style", "");} } </script> <span class=Answered style=" ...

javascriptjquery

Different Approach to Guarantee API

Here is the current structure of the promise executor: let p = new Promise((resolve, reject) => { }); It would be much cleaner if it were like this: let p = new Promise(r => { // r.resolve() / r.reject(); }); Is there a possibility to upd ...

javascriptnode.jspromisees6-promise

Strategies to manage or prevent a timezone offset while deploying a Next.js application on Vercel

Is there a way to ensure that a React/Next.js App always displays the local time in CEST, regardless of the user's location? For example, if I receive GMT time from the backend and want to offset it to display the CEST timezone, how can I achieve this ...

javascriptreactjsnext.jsverceltimezone-offset

Exporting modules in Node.js allows you to use functions

Can you explain why this code snippet is successful: exports.foo = 'foo'; var bar = require('./foo'); console.log(bar); // {foo: 'foo'} While this one fails to produce the desired output: var data = { foo: 'foo' ...

javascriptnode.jscommonjs

Issue with Bootstrap.js causing mobile menu to not expand when toggled in Rails app

Despite adding the .toggled class, my hamburger menu is not expanding when I click on the mobile menu. I've tried adjusting the order of the required javascript commands, but it doesn't seem to be working as expected. Here are the steps I'v ...

javascriptjqueryruby-on-railstwitter-bootstrapasset-pipeline

Steps for removing a p5.js instance once three.js assets have finished loading

I am trying to implement a preload animation using a p5 sketch while loading a three.js gltf file onto my webpage. The idea is to have the p5 animation play while the heavy gltf file loads in the background. However, I am facing issues with triggering the ...

javascriptthree.jsp5.js

Get the Zip file content using PushStreamContent JavaScript

I am looking for the correct method to download a PushStreamContent within a Post request. I have already set up the backend request like this: private static HttpClient Client { get; } = new HttpClient(); public HttpResponseMessage Get() { var filenames ...

javascriptc#asp.netvue.js.net-framework-version

Using regular expressions in Javascript to extract decimal numbers from a string for mathematical operations

I'm currently working on a Vue method where I extract information from a WordPress database. The data retrieved sometimes contains unnecessary text that I want to filter out. Using the prodInfo variable, the input data looks something like this: 2,5k ...

javascriptregexvue.js

Choose a property and its corresponding value at random from a JavaScript object

Recently delving into the world of Javascript and seeking guidance. I set out to create a random picker from an array and succeeded with the following setup: var movie = ["star wars", "lotr", "moonlight", "avengers"] function newMovie() { var randomNu ...

javascripthtml

Identifying and capturing changes in child scope events or properties in Angular

I am encountering an issue with my form directive where I need to intercept ng-click events nested within varying child scopes of the form element. However, I am struggling to hook into these events or child scope properties in a generic way. For demonstr ...

javascriptangularjsangularjs-scope

Saving incoming text files from a client via a websocket connection: A step-by-step guide

I've been working on creating a websocket server in node.js from scratch, without relying on any frameworks. So far, I have successfully set up the messages to be sent from the client to the server. However, I recently encountered an issue when trying ...

javascriptnode.jshtmlwebsocket

Automatically append version number to requests to avoid browser caching with Gulp

When deploying my project, I utilize gulp to build the source files directly on the server. In order to avoid caching issues, a common practice is to add a unique number to the request URL as explained in this article: Preventing browser caching on web app ...

javascriptnode.jsnpmgulp

Preserving checkbox states upon click event

<form name="form_name" action="/" method="get"> <% if params["title"].present?%> <% if params["title"] == "1" %> <input type="checkbox" name="title" onclick="this.form.submit();" value="1" checked> ...

javascripthtmlruby-on-rails