2

I am using jQuery to do some inline form validation during user registration to prevent form errors after posting by checking to see if:

  • username is available
  • email has not already been registered

The idea is to give the user feedback before the form is submitted to prevent frustration. The code is at the bottom.

Questions:

  • Is this a potential security problem? I had the thought that someone looking at my javascript could find the url I am polling for the username/email confirmation and then use it themselves (I don't know why they would do this, but one never knows).
  • If it is, what protections can I implement? I had read a little about cross-site scripting protection but am not sure how it could be implemented in a AJAX request, such as this, or if it is even necessary.

Thanks for your input.

Current Code:

I have defined the following view (which I took from some snippet, but can't recall where):

def is_field_available(request):
    if request.method == "GET":
        get = request.GET.copy()
        if get.has_key('username'):
            name = get['username']
            if User.objects.filter(username__iexact=name) or \
                UserProfile.objects.filter(display_name__iexact=name):
                return HttpResponse(False)
            else:
                return HttpResponse(True)
        if get.has_key('email'):
            email = get['email']
            if User.objects.filter(email__iexact=email):
                return HttpResponse(False)
            else:
                return HttpResponse(True)

    return HttpResponseServerError("Requires username or email to test")

Here is a sample of the jQuery code:

$.get('is-user-name-available/', { email: $(this).val() },
    function(data, status){
        if(data == "True"){
            $input.fieldValid();
        } else {
            $input.fieldInvalid("This email address has already been registered.  Try another or recover your password.");
        }
});

Edit: updated the code and rephrased my questions. [10/07/09]

Community
  • 1
  • 1
thornomad
  • 6,707
  • 10
  • 53
  • 78

2 Answers2

2

See http://www.djangosnippets.org/snippets/771/ - you can restrict your view to ajax requests. The only way to do cross-domain ajax is jsonp which you do not support in your view.

zgoda
  • 12,775
  • 4
  • 37
  • 46
  • Hmm - so, are you saying that by limiting the view to an ajax-only request, someone else wouldn't be able to write a javascript function from *their* site and use it (because I don't support jsonp)? Did I understand correctly? Thanks! – thornomad Oct 09 '09 at 00:23
1

Yes, this is a potential security problem, but not too big one: just make sure that your code is safe, and always returns something that doesn't reveal information that should be hidden.

There's nothing bad if someone will input in browser: example.com/account/verify_username/?username=admin (although I'd suggest to use POST only here)

So what should be done: 1) Verify that there're all parameters you need and they're in a correct format 2) Possibly verify where request came from 3) Make sure you handle all exceptions that can happen in the code 4) Don't forget about unit testing - for that try to place your logic NOT in a view, but in some method :)

Vitaly
  • 2,567
  • 5
  • 29
  • 34
  • Thanks for the response - why would you use POST instead of GET (because, to me, it seems we are "getting" information)? – thornomad Oct 09 '09 at 00:22
  • You can pass parameters in either POST (in a body of request) or in GET (in the URL like script/?param1=val1&param2=val2). In case of POST, you can't run this directly from browser. Difference between GET and POST is that GET should not have the significance of taking an action other than retrieval. More about jquery and post here: http://docs.jquery.com/Ajax/jQuery.post – Vitaly Nov 02 '09 at 21:00