I’ve been doing C and Java for many years but recently I have become more serious about web development and I’m curious about general techniques with respect to security, extensibility and performance.
Specifically, I’m currently using the following strategy for navigation using AJAX:
When the user clicks ‘submit’ (or any link that has a class that begins with ‘cl_’) cmdhdlr() is invoked which submits the form, installs the responseText into the dom indicated by the selector and calls regcl() on that new fragment to register any links in it. The idea is that since XHR reponses cannot contain scripts, regcl() will just look for any nodes with a class that begins with ‘cl_’ and register those for click events. This is somewhat simplified of course but you get the idea.
Is this a typcical technique? Are there any security issues here? If some can inject content into the XHR reponse they will only be able to call code that is pre-defined in cmdhdlr() so it doesn’t seem like a problem to me.
Are there any holes in this?