JavaScript security question

Forum|Forum|5 years ago
November 24, 2020
4 replies
455 views

Hi all. I am currently at the mercy of a very controlling web agency are the only people who can edit and build templates. The templates they have built are very restrictive giving me no option to improve styling and interactivity.

I have asked for a template that allows me to enter bespoke code (HTML, CSS and JavaScript).

By JavaScript, I mean the likes of jQuery, or bootstrap and relevant libraries for those... basically, anything I want to make more interactive on that page only (e.g.: carousels, accordions, scroll to, etc). It's unlikely that I will be writing my own JS for anything other than maybe a click or scroll event. Any JS used on the page will only be interacting with code on that specific page.

The web agency has responded with concerns about security breaches with JavaScript stating:

"CMS user could add insecure scripts and cause browser errors, which would fail a penetration test. If you decide to go with the new template work we will need to amend your SLA agreement"

So, my question is: Does what I have requested present any security concern that you can foresee?

This topic has been closed for replies.

B i r n o u

Legend

I second what said Os, I think the agency want to cover itself from any kind of trouble... Most of them could be for instability or page crash or runs infinite loop, or an external call for a malicious script, ... have a look at this old but interesting article https://www.algoworks.com/blog/security-concerns-with-javascript-development/

Nancy OShea

Community Expert

You're using a content management system? If yes, then the agency who built your CMS is responsible for keeping it operational and free from spurious code that you may unknowingly introduce. If they give you access to add more code, that opens up a Pandora's box of potential mayhem. I prefer to lock down my sites because clients with code access have been known to do some incredibly stupid things. The less code clients have access to, the better.

If you need a carousel, etc..., a better compromise is to ask your agency to add the latest Bootstrap & jQuery libraries to your site's source code so you can invoke them with pre-built Bootstrap classes.

Nancy O'Shea— Product User & Community Expert

B

Ben M

Community Expert

Having worked in an agency myself, I can tell you this sounds more controlling as most clients like some level of control, but usually adding scripting is reserved for the agency unless the company has a resource that knows what they are doing. As websites should be always evolving with the needs of the business, I would suggest your best course of action is to leave the contract as is and review with your management when they are up for renewal and discuss potential changes to the existing terms or to consider other agencies if they are too restricting in their contract terms.

O

osgood_

Legend

Javscript doesnt present a security risk if it isnt used for communicating to a database as in a Node.js workflow. Adding Javascript to a page could cause the javascript, which is currently present, to stop working due to a conflict between the 2 scripts, therefore the page would not function. I guess they are just covering themsleves for any errors which might result if code is introduced into the website, which they didnt create.

For instance you might include a jQuery library version which conflicts with the jQuery library they have used, if indeed they have used any jQuery.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded