Author: Kaanon MacFarlane
Unless you’ve been under a rock for the last 12 months, you’ve undoubtedly heard of AJAX. Forgive the cliché, but instead of cleaning your kitchen sink, AJAX cleans up the traditional web experience and brings out more usability in web pages. AJAX stands for Asynchronous Javascript and XML, but most the prominent letter is the J. There has been a lot of effort to add synchronicity (making order of things matter) and avoid the use of XML (by returning Javascript instead), so AJAX can be thought of as more of an approach.
The traditional web site approach is to display pages and reload the page when you click on links. The AJAX approach is to NOT reload the entire page, but instead only reload the relevant data. This is accomplished by using Javascript to mimic the action of going to a page and getting data. For instance, lets say a page has a list of products.
There are a few ways to show more detailed information about this product. When the user clicks on the product, the “normal” way to find out information about the product is to go to a new page. The “Ajaxy” way is to have Javascript request (go to) the page with the extra info about this product and then have Javascript get the data and display it on the page the user is already on. While both ways are functional, the Ajaxy way is faster and allows comparison of products. It also is significantly “smaller” than the normal way which saves bandwidth.
While an incredibly powerful approach to web development: AJAX does come with a few risks. The most obvious one is that the pages generally do not work if a user does not enable Javascript. Most statistics show that approximately 10% of Internet users do not have Javascript enabled.
Because of this, it is important to either develop pages that still work whether Javascript is enabled or not. A more serious risk involves “hackers” exploitation.
According to Wikipedia:
Cross site scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is. From the trusted context, an attack can be launched. en.wikipedia.org/wiki/XSS
This can happen if a knowledgeable user tries to fake the type of requests that your Javascript requests would make. For instance, a user might try to a different product or a different category. More likely, the hacker will try to use the parameters of your pages to execute their own commands. Some Free (as in beer) ways to combat this is to send POST requests instead of GET requests, and to make sure that your Javascript sends extra information that ensures the request has come from a valid resource (in this case, the page on your website). It is also important to make sure that any user input fields, no matter how mundane, are stripped ofJavascript code and HTML tags. Problems can arise when this is allowed.
AJAX is a wonderful new tool to improve usability of sites. Although development must be careful about what is possible, the added functionality is worth it.
