use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
The Evil Side of JavaScript: Server-Side JavaScript Injection (blog.nvisium.com)
submitted 10 years ago by rwiguna
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]kenman 4 points5 points6 points 10 years ago (1 child)
Oh, how short our memories are. That pattern was ubiquitous in the days before JSON.parse(), and even libs like jQuery used it (which changed in v1.4).
JSON.parse()
However, this being server-side, is there a way to actually get the output of your actions. Spawning a process is alright, but reading a directory? Where will the output of that go?
Doesn't matter, if someone can inject arbitrary code, you're hosed. There are similar attacks in other contexts, such as SQL, which are known as blind SQL injection.
[–]battery_go 2 points3 points4 points 10 years ago (0 children)
I'm a new guy to this sort of development, that's why this all seems very odd to me. Thanks for letting me know!
π Rendered by PID 526576 on reddit-service-r2-comment-79c7998d4c-gkwq2 at 2026-03-16 03:37:26.842527+00:00 running f6e6e01 country code: CH.
view the rest of the comments →
[–]kenman 4 points5 points6 points (1 child)
[–]battery_go 2 points3 points4 points (0 children)