2

The following approach has been suggested in a few SO answers as a way of passing authenticated user details from backend (PHP/Laravel) to frontend (JavaScript/Vue). However, I would like to confirm how secure it is.

<script>
    window.App = {!! json_encode([
        'user' => Auth::user()
    ]); !!};
</script>

Are there any security implications of passing authenticated user details to JavaScript using this approach assuming details do contain user-generated input like name and username? Can JavaScript code safely handle this data to authorize user actions and/or output any of this data as HTML?

Or is there anything that a user can type into Name/Username fields during registration that can break this code / pose a security concern? Is there any benefit in sanitizing output of json_encode() before passing it to JavaScript?

EDIT

As an example, let's say I get this data from the server, pass it to JavaScript using json_encode() and then output user name in HTML using JavaScript. Can this be exploited in any way if users are allowed to enter anything (up to a certain char limit) into the Name field during registration?

Improve this question

1 Answer 1

Reset to default
1

"Can JavaScript code safely handle this data to authorize user actions" - never, because it's client-side and by definition not under your control. Authorization is done server-side.

"Or is there anything that a user can type into Name/Username fields during registration that can break this code / pose a security concern?" - json_encode escapes characters so that whatever data you have the outputed JSON is valid.

"output any of this data as HTML?" - no. You need to sanitize the data for HTML output. json_encode does not know what HTML is.

"Is there any benefit in sanitizing output of json_encode() before passing it to JavaScript?" - this is not something decided at a language level but at an application level. If users are allowed to input any characters then you are responsible to ensure that they can't exploit that in nefarious ways because only you know how that data is used by the application.

"However, I would like to confirm how secure it is." - it's as secure as you understand the implications of passing around data between different contexts. In this situation you are passing data that's "secure" in the server-side context but unchecked might not be "secure" when passed to the client-side context.

TLDR: no one can give you a satisfying answer without knowing what you're doing with that data. Simply inserting it in the response as a <script> would be safe. Using said data client-side might not be safe depending on what you do with it.

Here's an example of why not sanitizing data is bad: https://jsfiddle.net/v7pxn48j/ As you can see there is nothing wrong with the JSON, but interpreting some of it as unsanitized HTML is.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Brilliant. Exactly what I wanted to confirm.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.