0

I am developing a wordpress plugin, where user can write their custom js function which is executed by plugin. They can share the codes to other and can import other's codes also. My concern is user can do ajax request via their function and can mess with database. So how do I check if a function is making ajax request and stop it from executing.

Solution i can think of are:-

  • Block all ajax related keywords like AJAX, xmlhttp, GET, POST
  • Having some global switch
    ajax = false;
    which line will turn off all AJAX functions, and turn it on when required and turning off once done.

I have never faced security issues like this before, so don't have any idea.
What can be different ways user can mesh with database?

Gautam Kumar
  • 707
  • 1
  • 10
  • 27
  • 1
    And if they do it with normal form submissions, links, img tags, etc? – epascarello Oct 03 '14 at 12:13
  • 1
    Solution, you do not run JavaScript from other people in the same domain as your code. Look how stackoverflow does it with [snipplets](http://blog.stackoverflow.com/2014/09/introducing-runnable-javascript-css-and-html-code-snippets/). – epascarello Oct 03 '14 at 12:15
  • Since I am new to this field, so don't idea for different possible way to mesh with database. – Gautam Kumar Oct 03 '14 at 12:16
  • doing `global:false` will stop all `ajax global functions declared anywhere in the application` – Tushar Raj Oct 03 '14 at 12:16
  • so you have exposed methods that allow for them to hit your database? – wirey00 Oct 03 '14 at 12:18
  • They can run js snippets, there no method exposed from which client can access db, but there snippet might have ajax requests which can do. – Gautam Kumar Oct 03 '14 at 12:20
  • @GautamKumar http://blog.jsfiddle.net/doc-api-embedding or do the iframe yourself... You can not host the code in the same domain like I had 25 minutes ago. – epascarello Oct 03 '14 at 12:37
  • If you haven't set up any handlers to catch those ajax requests, their requests wont do anything to your database. – MSTannu Oct 03 '14 at 17:50

0 Answers0