Expand my Community achievements bar.

Join us January 15th for an AMA with Champion Achaia Walton, who will be talking about her article on Event-Based Reporting and Measuring Content Groups!

Remove two anti-patterns from the AppMeasurement.js code

Avatar

Level 1

10/23/14

Two known anti-patterns are used within the AppMeasurement.js javascript code:

 

1. It accidentally exposes internal variables by not utilizing the `var` keyword to restrict variable scope.

2. It utilizes "lax" equivalence/inequivalence check operators.

 

Accidentally globally scoping variables allows any object that has access to the page to "see" the contents of these variables. If they include sensitive information, such as cookie values, an attacker with access to the page could see these exposed values. Additionally, globally scoped variables can introduce accidental errors into a program, as they may accidentally "overwrite" a global variable used by another program, or have their values overwritten by the same.

 

JavaScript includes two "types" of equivalence checks, which could be classified as "strict checks" and lax checks". When working with numbers, booleans, Null, undefined, and objects, strict equivalence checks are preferred, both for purposes of correctness as well as avoidance of accidental misbehavior. This behavior becomes apparent especially when working with numbers and booleans: JavaScript will assert that `"2" == 2` is true, whereas `"2" === 2` is false; this is due to the fact that "lax" equivalence checks will attempt to do type coercion prior to checking the equivalence of the two sides. This is further compounded by the fact that JavaScript has some odd constructs for what constitutes a number, and can lead to undefined behavior. The standard recommendation is to use strict equivalence (===) and strict inequivalence (!==) whenever values are to be checked.

 

For further details see: http://www.oreillynet.com/pub/a/javascript/excerpts/javascript-good-parts/badparts.html

1 Comment