While reading about the navigator object in JavaScript I ran into a taintEnabled() function, as well as similar taint() and untaint() functions, referring to something called "data-tainting".
Googling around net and Stack Overflow show some possible reference to Perl language, but none about JavaScript. I wonder, what is data-taining and how to use these functions?
While reading about the navigator object in JavaScript I ran into a taintEnabled() function, as well as similar taint() and untaint() functions, referring to something called "data-tainting".
Googling around net and Stack Overflow show some possible reference to Perl language, but none about JavaScript. I wonder, what is data-taining and how to use these functions?
Share Improve this question edited Nov 7, 2023 at 18:04 dumbass 27.2k4 gold badges36 silver badges73 bronze badges asked Jul 17, 2012 at 10:34 trejdertrejder 17.5k27 gold badges129 silver badges224 bronze badges2 Answers
Reset to default 15Data Tainting (or Taint Checking) is a language feature wherein user-input data is flagged as tainted, a flag that propagates to all data derived from this input. As a result, code can implement runtime assertions to ensure security critical code is not being called using tainted data (ie prevent SQLi, XSS type attacks).
Whilst Netscape implemented it in the browser in v3 and v4, support for it sadly never materialized elsewhere, so @trejder is absolutely right that it should be avoided in JavaScript.
As mentioned, there aren't many sources in the Internet about data-tainting, as it seems to be a long forgotten, deprecated technique and topic. But I found out an interesting reading on this on findmeat.org. For the Navigator.taintEnabled() method it says that (various parts cited, some text shortened):
The data-tainting support was a short-lived means of sending data back to a server. The security implications became unworkable and the whole data tainting idea was deprecated. The functionality was removed in JavaScript version 1.2. This method is only supported in order to prevent scripts from crashing. This functionality is highly deprecated and you can expect it to cause run-time exceptions in future. You should seek to try and remove it to prevent run-time errors in the future.
It seems that nowadays few browsers support this function (and similar, mentioned) and that it should not be used under any circumstance. Even if a browser implements this at all, it should return the value false for this method, always.