• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

JavaScript security question

Explorer ,
Nov 24, 2020 Nov 24, 2020

Copy link to clipboard

Copied

Hi all. I am currently at the mercy of a very controlling web agency are the only people who can edit and build templates. The templates they have built are very restrictive giving me no option to improve styling and interactivity.

 

I have asked for a template that allows me to enter bespoke code (HTML, CSS and JavaScript).

 

By JavaScript, I mean the likes of jQuery, or bootstrap and relevant libraries for those... basically, anything I want to make more interactive on that page only (e.g.: carousels, accordions, scroll to, etc). It's unlikely that I will be writing my own JS for anything other than maybe a click or scroll event. Any JS used on the page will only be interacting with code on that specific page.

 

The web agency has responded with concerns about security breaches with JavaScript stating:

"CMS user could add insecure scripts and cause browser errors, which would fail a penetration test. If you decide to go with the new template work we will need to amend your SLA agreement"

 

So, my question is: Does what I have requested present any security concern that you can foresee?

Views

320

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Nov 24, 2020 Nov 24, 2020

Copy link to clipboard

Copied

Javscript doesnt present a security risk if it isnt used for communicating to a database as in a Node.js workflow. Adding Javascript to a page could cause the javascript, which is currently present, to stop working due to a conflict between the 2 scripts, therefore the page would not function. I guess they are just covering themsleves for any errors which might result if code is introduced into the website, which they didnt create.

 

For instance you might include a jQuery library version which conflicts with the jQuery library they have used, if indeed they have used any jQuery.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 24, 2020 Nov 24, 2020

Copy link to clipboard

Copied

Having worked in an agency myself, I can tell you this sounds more controlling as most clients like some level of control, but usually adding scripting is reserved for the agency unless the company has a resource that knows what they are doing.  As websites should be always evolving with the needs of the business, I would suggest your best course of action is to leave the contract as is and review with your management when they are up for renewal and discuss potential changes to the existing terms or to consider other agencies if they are too restricting in their contract terms.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 24, 2020 Nov 24, 2020

Copy link to clipboard

Copied

You're using a content management system?  If yes, then the agency who built your CMS is responsible for keeping it operational and free from spurious code that you may unknowingly introduce.  If they give you access to add more code, that opens up a Pandora's box of potential mayhem.  I prefer to lock down my sites because clients with code access have been known to do some incredibly stupid things. The less code clients have access to, the better.

 

If you need a carousel, etc..., a better compromise is to ask your agency to add the latest Bootstrap & jQuery libraries to your site's source code so you can invoke them with pre-built Bootstrap classes.

 

Nancy O'Shea— Product User, Community Expert & Moderator

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 24, 2020 Nov 24, 2020

Copy link to clipboard

Copied

LATEST

I second what said Os, I think the agency want to cover itself from any kind of trouble... Most of them could be for instability or page crash or runs infinite loop, or an external call for a malicious script, ... have a look at this old but interesting article https://www.algoworks.com/blog/security-concerns-with-javascript-development/

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines