What is window._jqjsp? - javascript

I've been looking through some code that rewrites window._jqjsp. From the context, it seemed like it was either part of the DOM or something jQuery might insert.
Anyone has a clue what window._jqjsp is?

It's used in jQuery mobile development. It looks to be a special type of callback that passes on data to other callbacks.
"The jQuery JSONP plugin provides the sham callback, defaultly named _jqjsp, whose sole purpose is to make the response data available for the app's actual callback functions."
http://software.intel.com/en-us/articles/jquery-mobile-listview

It's most likely an extension. I know that a few of the Chrome extensions I use inject scripts on the page.
EDIT:
After checking around, it looks like this plugin might be assigning itself to that variable. Are you using jquery-jsonp? This mentions it.

Related

Modify jQuery getJSON - add functions on call and callback

I'm trying to create a loader that tracks when AJAX calls start and end. It's using JSONP so the .ajaxComplete() doesn't work / isn't reliable.
Ideally I'd like to modify getJSON so that every time it is called a function, addAJAX(), is also called. The callback will also fire a function removeAJAX().
Currently I'm having to do this by adding in functions to every getJSON, of which there are many and likely to be many more.
For example:
// Add ajax tracker
hl.addAJAX();
$.getJSON('someurl.com?callback=?',{ key: APIKEY }, function(json) {
// Remove the ajax tracker
hl.removeAJAX();
});
Creating a wrapper function for AJAX calls is one option, but I'd really like to know if jQuery can be modified this way?
Yes you can override jQuery to do such actions. I have posted one answer for a similar type question. So Instead of re-posting, providing the reference -
How to get default error of ajax call
Technically it certainly could be done -- jQuery is just JavaScript, so you could dig through the sources .js files, find the method in question and modify to your heart's content. However, this certainly isn't a trivial edit and I would strongly advise you against modifying core functionality of third party libraries unless you think that there's no other feasible option and you're ready for what comes along with it.
I say that because that will mean, among other things, that you'll have to maintain those changes when you're trying to move to future versions, and that you may break support for other libraries or plugins which expect certain functions to work certain ways.
As much as it may be annoying to call the function in the callback every time, that's the recommended way of accomplishing this type of functionality.

Namespacing in jQuery?

I am currently working on a library plugin for jQuery that might eventually be released as an open source project.
I have written a number of custom element functions and would like to store everything related to my library in a namespace.
So for example, assume that I have a function called toggle(). Ordinarily, this would be called using $(selector).toggle(). However, I would like to call it, and other functions using something like $(selector).mylib.toggle() so as not to interfere with other libraries or plugins.
I have developed jQuery plugins in the past, but never needed to protect methods in this way. Can anyone point me in the direction of how I might author the functions to achieve this?
I'm not exactly sure, why you would want to do this and not use an "ordinary" namespace object which holds your methods. However, you might want to have a look at
jQuery.sub()
Description: Creates a new copy of jQuery whose properties and methods
can be modified without affecting the original jQuery object.
By "sub"(classing) the jQuery object, you don't have to care about conflicting with other plugins anymore. So if that is the only concern, go for it.
Ref.: .sub()

modify insertBefore

Is there any way that I can replace the insertBefore and similar with my own functions. My aim is to implement an undo feature and if I'm able to implement it this way, I wont have to change each instance of insertBefore in my code with my function name and it would also make the further development easier.
I've found something similar here Disable a built-in function in javascript (alert) but am not able to figure out how to use it in my case because I dont know who is the parent of these functions (insertBefore,appendChild etc).
I just want to insert one line of my code and then call the native code.
Please advise
PS. I'm trying to implement an undo functionality and this library requires me to register an undo in that undo-function for allowing redo. So all I want to do is make that a single line of code is always executed before any insertBefore and similar functions.
I'm not talking about any libraries, but just the plain ECMAscript.
If you are talking about the insertBefore method of the Node interface, then whether you can or can't do is really moot. The important thing is that you shouldn't. It is a method of a host object and should be left alone.
Incidentally, the term built-in is normally used for the built-in objects and methods of ECMAScript. The window.alert method is more correctly described as a method of a host object and really shouldn't be tampered with either (although in general it can be).

Should I check for a element on a page before calling the Jquery plugin or call it and allow it to fail if not there

I have recently been wondering what would be the most friendly/efficient way to use plugins that have been bundled together to leverage caching. Are plugins are tied to HTML modules that are used sporadically in the site and have been called by using this kind of pattern:
if($('.moduleClass').length) {
$('.moduleClass').modulePlugin();
}
So we check for the module before we call the plugin. I have been wondering if this is the best solution or should I just be allowing jQuery to handle the fail if the browser doesn't find the element.
$('.moduleClass').modulePlugin();
Any idea, thoughts and experiences would be greatly received.
Thanks,
Ad
Doing 2 DOM lookups, is slower than doing 1.
Let jQuery handle it, there shouldn't be an error if there are no elements with the class 'moduleClass', nothing should happen.
I'd recommend not checking for existing explicitly. Just try to find a DOM element and call methods on it. Even if the element does not exist. jQuery handles this for you.
About speed: You're doing two DOM lookups in your first example, which is obviously slower than your second example. And even if you cached the jQuery object in the first example, it's still one lookup in each example.
Well, from the start, you're already calling .length on what could have been an empty set. jQuery lets you do that because it handles stuff like non-existent elements correctly.
Now, whether or not your plugin does the same is a whole different question. Nonetheless, I recommend against checking first anyway. If the plugin does not handle empty sets properly (especially since jQuery -- which it's built on -- does), I'd think again about using it.
I learned that if the plugin sucks it makes sense to check for it.
But if the plugin itself does a check via length or each(). There is nothing to gain by checking with length.

Is getting JSON data with jQuery safe?

JSON allows you to retrieve data in multiple formats from an AJAX call. For example:
$.get(sourceUrl, data, callBack, 'json');
could be used to get and parse JSON code from sourceUrl.
JSON is the simply JavaScript code used to describe data. This could be evaled by a JavaScript interpreter to get a data structure back.
It's generally a bad idea to evaluate code from remote sources. I know the JSON spec doesn't specifically allow for function declarations, but there's no reason you couldn't include one in code and have an unsafe and naive consumer compile/execute the code.
How does jQuery handle the parsing? Does it evaluate this code? What safeguards are in place to stop someone from hacking sourceUrl and distributing malicious code?
The last time I looked (late 2008) the JQuery functions get() getJSON() etc internally eval the JSon string and so are exposed to the same security issue as eval.
Therefore it is a very good idea to use a parsing function that validates the JSON string to ensure it contains no dodgy non-JSON javascript code, before using eval() in any form.
You can find such a function at https://github.com/douglascrockford/JSON-js/blob/master/json2.js.
See JSON and Broswer Security for a good discussion of this area.
In summary, using JQuery's JSON functions without parsing the input JSON (using the above linked function or similar) is not 100% safe.
NB: If this sort of parsing is still missing from getJSON (might have recently been added) it is even more important to understand this risk due to the cross domain capability, from the JQuery reference docs:
As of jQuery 1.2, you can load JSON
data located on another domain if you
specify a JSONP callback, which can be
done like so: "myurl?callback=?".
jQuery automatically replaces the ?
with the correct method name to call,
calling your specified callback.
$.getJSON() is used to execute (rather than using eval) javascript code from remote sources (using the JSONP idiom if a callback is specified). When using this method, it is totally up to you to trust the source, because they will have control to your entire page (they can even be sending cookies around).
From Douglas Crockford site about The Script Tag Hack (jsonp):
So the script can access and use
its cookies. It can access the
originating server using the user's
authorization. It can inspect the DOM
and the JavaScript global object, and
send any information it finds anywhere
in the world. The Script Tag Hack is
not secure and should be avoided.
Both IE 8 and Firefox 3.1 will have native JSON support, which will provide a safe alternative to eval(). I would expect other browsers to follow suit. I would also expect jQuery to change its implementation to use these native methods.
All browsers I know of disable cross-site requests through Ajax. That is, if your page sits on my.example.com, you can't load anything using Ajax unless its URL is also at my.example.com.
This actually can be something of a nuisance, and there are ways for an attacker to inject source in other ways, but ostensibly this restriction is in place to address exactly the concern you mention.

Categories

Resources