Is this jquery code safe?
Is the following code safe?
$iframe = $('<iframe id="iframe" src="' + $(this).attr('rel') + '" name="iframe">'); $area = $("#ajax-area"); $area.empty().append($iframe); Where:
$(this)is the link clicked.attr('rel')stores src for the iframe, and rel is created by PHP (no user is entered here).- And the
$iframecontains the upload form.
It bothers me, since in this case the iframe src is a variable, I am afraid that the malicious user somehow manages to edit the rel attribute and open the iframe that he or she wants. Is it possible?
EDIT
Thanks for your valuable answers.
php uses the following to populate rel:
App::basePath . '/some/path/to/my/folder'; Where basePath is the constant that the developer selects.
I will redesign my jquery in a more appropriate way, as you guys suggested.
Theoretically, if the rel attribute is based on a server constant, there should be no additional security issues other than those that you cannot control, such as MiTM.
However, you should always be safe with these things; and jQuery provides such security by letting you pass attributes for the tag as a second argument to the constructor:
$iframe = $('<iframe />', { id: "iframe", src=: $(this).attr('rel'), name: "iframe" }); If an attacker cannot go to the rel attribute of the link, it must be safe.
However, it is difficult to say that a piece of code is safe or not without a detailed view of the environment in which it works. Perhaps you can access the โsafeโ code snippet from another button by instantly making the assumption that the rel attribute is invalid.
However, until you provide the user code anywhere on your page, you should be safe. This means that you need to avoid each userโs input, especially if that input is displayed somewhere else on your site (for example, a comment on a news article).