How dangerous is it send HTML in AJAX as opposed to sending JSON and building the HTML? [duplicate]

Answer 1

I tend to use the following rules:

1. Request and return HTML for quick snippets, then use client-side (static) Javascript to insert them. Great for alert messages.

2. Request and return JSON for large datasets. This works great when you want to do filtering, grouping, or sorting on the client side without re-requesting the data in a different form.

3. Request and return JSON for large datasets, but include the (escaped) HTML snippet for each record in the JSON record. This means more rendering time and more bandwidth use than (2), but can reduce duplication of often complex HTML rendering.

4. Request and return Javascript, and eval it client-side. This works best for interactions such as hiding, showing, moving, and deleting. It can work for insertions as well, but often type (1) or (5) work better for that.

5. Request and return Javascript, and eval it client-side, but include escaped HTML in the Javascript so the server is doing the HTML rendering.

I probably use 5 and 1 the most often.

Answer 2

With both JSON raw html you still have worry the contents being safe, after all JSON is JavaScript code. I suppose if you don't trust the source of your HTML data then you are open to all sorts of Cross Site Scripting attacks. Consider sending the data as JSON and using Javascript Templating library like the one in Yahoo UI library, see http://developer.yahoo.com/yui/docs/YAHOO.lang.html#method_substitute then let the Front End Guys maintain the templates.