执行AJAX调用返回的JavaScript是否被认为是错误的形式? [英] Is it considered bad form to execute javascript returned by an AJAX call?
问题描述
我正在修改一个现有的Web应用程序,该应用程序具有管理能够登录系统的用户的功能.通过对话框修改用户的详细信息时,更新数据通过AJAX发送到服务器.然后返回几行javascript,以更新当前页面以反映这些更改,以实现执行目的.这让我感到不满意-远程执行JS危险吗?
I'm modifying an existing web application that features the ability to administrate users who are able to log into the system. When modifying a user's details via a dialog, update data is sent to the server via AJAX. A few lines of javascript to then update the current page to reflect these changes is returned with the intention of being executed. This strikes me as poor form - isn't executing remotely acquired JS dangerous?
如果要对此进行修改,我将使用AJAX调用来发送更新的信息,然后调用另一个通过AJAX从服务器获取最新数据的函数(或者,如果我感到懒惰,则只需刷新页面).进行此更改是否有任何优势(主要是安全性,但从体系结构的角度来看)还是我正在肛门?
If I were to modify this, I would have the AJAX call that sends the updated information then call another function that gets the latest data from the server via AJAX (or just refresh the page, if I am feeling lazy). Is there any advantage (mainly security, but from an architectural perspective as well) to making this change, or am I being anal?
推荐答案
假设我们正在谈论在非json上使用的eval.
Assuming we're talking about eval used on non-json.
人们会告诉您各种各样的事情,其中大多数具有现实基础.我要说的一个真正可以理解的原因:这将使代码成为维护的噩梦,并且很难跟踪错误.
People will tell you all sorts of things, most of it has some basis in reality. I'd say one reason that is really understandable: it will make the code a nightmare to maintain and it will be very hard to trace bugs.
出于安全方面的考虑,很多人喜欢跳起"javascript是客户端问题"的潮流.我说如果它来自您的网站,那也是您的问题.
There are security concerns, a lot of people like to jump on the "javascript is the clients problem" bandwagon. I say if it comes from your site, it's your problem too.
最后,没有充分的理由让我想到从服务器评估javascript.从服务器传递数据,然后在客户端编写javascript以对该数据做出反应.
In the end, there is no good reason I can think of to eval javascript from the server. Pass data from the server, and write the javascript on the client-side to react to that data.
这篇关于执行AJAX调用返回的JavaScript是否被认为是错误的形式?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
