-1

I'm using JQuery to add a lot of functionality to SAS HTML output files. Basically I'll be adding to previously static HTML tables, like the ability to highlight rows, re-sort, sum by subgroups, etc.

The catch is that NO ONE outside of my organization can see the data in these tables. The files will not be online, just saved on our secure drives. But I'm worried about doing something inadvertently that would expose pieces of data to any external servers or attackers.

I've read several articles and questions about JQuery security, like Is JQuery secure? and jQuery ajax security, but I really do want to know if there's anything I need to avoid in my case so that nothing surprising will happen.

So given that I won't be using AJAX or any plugins hosted online, I have one main question:

Are there any non-obvious things I could do in JQuery that would create a chance of data leaking, relative to just displaying the data in JavaScript-free HTML?

My apologies if this seems like a question I could have answered on my own. While I think everything should be fine, I'm not a security expert, and I want to be certain about this before my potentially awesome project brings the company down in flames.

--EDIT: in response to Phillip's comments, I should clarify that anyone accessing the files will already have been required to give their credentials, have project-specific clearance, and sign a data-nondisclosure agreement such that any attempt to move the files from a secure location would be a violation of the conditions of access.

Community
  • 1
  • 1
MDe
  • 2,478
  • 3
  • 22
  • 27

1 Answers1

0

No, and this is a really bad idea because jQuery/JS is a client side technology and anyone with a text editor and a browser can copy your code and recreate the circumstances needed to display your sensitive information. You need some sort of server side verification to make sure your data is totally secure even if just for internal use.

Phillip Berger
  • 2,317
  • 1
  • 11
  • 30
  • Thanks Phillip - I'm not quite sure how anyone with a text editor and browser could do that, without first gaining access to our servers, at which point they could just steal the data files instead of my code. I guess it's the IT department's job not to let anyone come in and steal the files, but I just want be sure that my script isn't going to send the data anywhere external by some subtle misunderstanding of what's happening. Does that resolve your concerns, or am I not getting what you're saying? – MDe May 18 '13 at 18:57
  • Have you ever heard of "The Great Wall Syndrome?" It’s the problem companies face when their own internal employees walk off with their data. As long as everything is client-side security WILL be a problem. Keeping everything on the server with proper validation procedures is the way to go. Additionally, if someone modified the jQuery with a text editor and ran it locally the data could be sent offsite by an unwitting person. This is another reason why you need some sort of server validation for data you consider secure. – Phillip Berger May 18 '13 at 19:01
  • Great - any links or suggestions for the proper validation procedures you refer to? – MDe May 18 '13 at 19:05
  • There are a number of articles on the topic, but really this decision normally starts with someone designated CIO of the company. Normally validation is a username and password needed to access the data and the ability to shut that access down when an employee is terminated. In addition there are numerous tricks a web developer can employ, situation dependent of course, to make it less than convenient for a user to save data to a flash drive as an HTML file. – Phillip Berger May 18 '13 at 19:10
  • Maybe I should have been more specific. Credentials are already required to access the HTML files. Only those with project-specific clearance will even have that much access, and they have all signed data non-disclosure forms. Anyone who copied the data to a non-secure location like a flash drive would do so knowing that they were violating security procedures. When employees are terminated obviously they no longer have any access. I'm worried about inadvertent consequences of MY code - intentionally malicious behavior of other employees is out of my control. – MDe May 18 '13 at 19:33
  • As long as you don’t make any jQuery style calls to the outside you should be fine. – Phillip Berger May 18 '13 at 19:58