Laravel data to javascript could this be insecure and an open vulnerability? - Jquery ajax

JGuarate
April 14, 2020
156 views
1 vote
2 Answers

I have this method in the controller:

$ep = new Enterprise;
$d = new Chat;
$dataDao = new Data2;
$model = new Data;
$empresa = $ep->getEnterprise();
$tmp_talent = new Talent();
$nm = $d->all($request->session()->get('user')->email);
$data = [
    0 => $empresa,
    'vacantes' => $tmp_talent->getOpenJobsXTalent($request->session()->get('user')->email),
    "messages" => $nm,
    "userId"=> $dataDao->getMyUserId(),
    "categories"=>$model->getCategories(),
    //"subcategories"=>$model->getSubCategories()
];
return view('chat.dash')->with('data',$data);

And this is their corresponding resource file:

<script>
    var allMessages = {!! json_encode($data['messages']) !!};

My question is if this can represent a vulnerability than an attacker could use to make damage on my site or to my end users?

Answers

- Bader
- April 14, 2020 at 6:52 pm
- 0 votes
0
You’re displaying unescaped data
Which shouldn’t be used for displaying users entries

You are using json here so you want to use @json()

Or
```
<?php echo json_encode($array); ?>;
```
Laravel docs
Login or Signup to reply.

- Shizzen83
- April 14, 2020 at 6:54 pm
- 0 votes
0
Those data could be a vulnerability if they are confidential and you also have an XSS vulnerability which allows an attacker to get them.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Laravel data to javascript could this be insecure and an open vulnerability? – Jquery ajax

Answers