Hacker News new | past | comments | ask | show | jobs | submit login

One thing many people underestimate is how easy it is to run into XSS, XSRF, XSSI when not using a framework, in particular XSS when using native DOM APIs ("location.href = ..." - pwned. "e.innerHTML = ..." - pwned. "a.href = ..." - pwned. "*.src = ..." - pwned.).

You might not need a framework, but you'll need a structured approach to avoid those problems, and frameworks can help a lot with security.




Unless your framework bridges the backend and frontend you're not going to just magically get rid of XSS vectors.

Also regardless of what framework you are using you still have access to location.href, e.innerHTML, etc. I'm not really sure what you're trying to convey here but it's lost on me because, framework or not, all of these things still exist. Hell angular simply wraps location as do some other frameworks.


I thought his point was clear. A framework provides all those things, free of charge. Instead of using location.href or e.innerHTML you're invited to use framework.html(), etc. It's possible you would take care of escaping output on your own, but the point he was trying to convey is that you are likely to take shortcuts and not do all those things.


framework.html() would presumably have the same problems as e.innerHTML (as you're probably aware). The examples that come to mind are replacing something like...

  e.innerHTML = "<td class=\"" + type + ">" + value + "</td>"
with:

  d3.select(e).append("td").attr("class", type).text(value)
or:

  $(e).append("<td></td>").addClass(type).text(value)


None of those are "pwned" if you know what you're doing. Idiot proofing is a real feature I grant you but it's not something you can blame the native DOM APIs for.


Anyone who knows what they're doing is one dumb moment away from not knowing what they're doing. I suspect I know no programmers that don't average at least a dumb moment per day. Your code reviewer is one dumb moment away from not catching it in your code review - which may be as simple as skimming a little too fast because the diff was a little too big. tl;dr: This:

> None of those are "pwned" if you know what you're doing.

... can be rephrased as "All of these are still 'pwned' on a daily basis."


> if you know what you're doing

Because everyone is perfect, right?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: