|
I disagree. JavaScript is MADE to extend via the prototype in each object (although you should not expect this to work on every client, especially IE/JScript).
We have a ways to go in terms of security but verifying JSONP requests and CORS are where we are headed (CORS is possible since IE 8 with the XDomainRequest object, on other browsers XHR Level 2). What are we concerned about here? JavaScript injection has always been possible.
You have to be very careful what people POST and GET via HTTP in general, not just Ajax requests. Never trust any input from the client side, ever. It must be scraped, cleaned, sanitised, whatever you must do to ensure it is not an attack attempt.
|
|
|
|