0

I am aware that any data coming into a server from a client should be handled safely (as in sanitized, whitelisted, etc.) but I had slapped together a very simple system that pulled file contents getting the file name from the query string all on the client side in JavaScript so that the processing of the query string is actually done client side instead of server side.

Essentially what I have at the moment is this:

    function loadPage(){
        var urlParams = new URLSearchParams(window.location.search);
        var page = urlParams.get('page');

        if(page == ''   ||   page == null){
            page = 'home';
        }

        var jFile = 'assets/pages/' + encodeURIComponent(page) + '.js';
        if(fileExists(jFile)){
            if(fileExists(jFile)){
                $.getScript(jFile, function loadReturn(data){
                    loadComplete();
                });
            }
        else{
            console.log('404');
        }
    }

    function fileExists(file) {
        var xhr = new XMLHttpRequest();
        xhr.open('HEAD', file, false);
        xhr.send();

        if (xhr.status == "404") {
            return false;
        } else {
            return true;
        }
    }

I understand the concern/risk on server side with things like PHP especially when dealing with databases so not sanitizing this seems like a bad idea, but on the other end I feel like if this was a security risk, anyone could just make the simple call anyways in their JavaScript console to whatever file they would try and exploit with this.

As far as the why, my goal was to make an extremely lightweight CMS of sorts and if this is just a terrible idea, security-wise I can build out a more complex system but if that is the case, I would be interested in the how/why it is a bad idea as well as possibly any client side solutions. The preference would be to not have any server side scripting on this.

Xandor
  • 103
  • 3
  • 3
    *"anyone could just make the simple call anyways in their JavaScript console to whatever file they would try and exploit with this."* - client side sanitizing is optional in this use case, server side sanitizing is mandatory even if client side sanitizing is done. Possible duplicate of [How to validate user input](https://security.stackexchange.com/questions/163081/how-to-validate-user-input). – Steffen Ullrich Jun 02 '19 at 20:38
  • @mentallurg Is capitalization in the title (which grammatically should be capitalized other than articles) so bad that it actually warranted an edit? An explanation along with the edit would be more beneficial than an edit that seems to have no functional change. – Xandor Jun 06 '19 at 16:26
  • @Xandor: I have to admit that I am not a grammar expert. As far as I know grammar defines capitalization for a few cases only, like person names and city names. But capitalization in article titles has nothing to do with grammar. Capitalization rules are defined by a specific publisher (not by grammar) for specific web site. For instance, web sites related to or inspired by Associated Press use one set of rules for title capitalization, other use NY Times style, etc. Here is a good overview of this topic: https://capitalizemytitle.com. – mentallurg Jun 08 '19 at 10:28
  • @mentallurg I think there is a disconnect here. By articles I meant article words first of all and yes, I apologize because grammar was not the proper word but my question/argument still stands. The website you linked even capitalizes my title more in the fashion of how I had it. I am trying to figure out why it mattered enough, not only to warrant an edit, but to the point that multiple people approved it. Is there a rule or standard on this site I am not aware of? – Xandor Jun 08 '19 at 15:11
  • @SteffenUllrich I apologize that I did not see your duplicate comment earlier. This is not a duplicate question of that as mine is more focused on client side than server side when there is no access to server resources like databases and such. I have edited my question to try and make that more clear. – Xandor Jun 09 '19 at 16:12

1 Answers1

2

  1. Validation / sanitizing is done on server only. In your example there is no server side code.

  2. If your client loads files that should be available to everyone without any restriction, then there is no need on server to check anything. I.e. you don't have to do anything on the server.

  3. "anyone could just make the simple call anyways" - this is wrong statement. If some resources should only be available to particular users (e.g. web access to emails should provide only emails of logged in user and not of other users), you will probably use some query to find corresponding data in the database. If you don't sanitize your query, you will allow SQL injection and unpredictable behaviour of your application: unpredictable uncontrolled modification of data, uncontrolled access of user to the data of another user.

mentallurg
  • 8,536
  • 4
  • 26
  • 41
  • Right, I am aware of SQL injection for server side coding. And yes all files reachable will not link to a data base at all. I just am not very familiar with Apache and wanted to make sure SQL injection was not possible with simple file calls. As far as my comment on "anyone would be able to" I meant on the client side anyone could make a similar call with javascript. Not that the file would be there or anything like that. – Xandor Jun 03 '19 at 00:07
  • Is your question now answered? If not, what exactly is not answered yet? – mentallurg Jun 03 '19 at 00:09
  • Yes, I think this does answer it. Thank you very much for the clarifications on the matter. – Xandor Jun 03 '19 at 01:13