问题
I have a simple call to a REST API using jQuery/AJAX. I realize that the parsing method here could be done more elegantly and will ask another question on that(although any comments here are welcome). Current Question: Are there glaring or not-so-glaring vulnerabilities in using this method to retrieve and parse api data. Would using a server-side script to retreve it first behind the firewall and save it outside the firewall to access it through this webpage be a marked improvement?
$(function() {
$.ajax({
type: "GET",
async: "true",
crossDomain: "true",
url: "https://data.usajobs.gov/api/Search?Organization=XXXX&WhoMayApply=All",
headers: {
"authorization-key": "XXXXXXXXXXXXXXXXXX",
"user-agent": "XXXX@XXX.gov",
"host": "data.usajobs.gov",
"cache-control": "no-cache",
}
}).done(function(data) {
"use strict";
var jts = [];
var json_obj1 = (data.SearchResult.SearchResultItems);
var json_obj2 = $.makeArray(json_obj1)
$.map(json_obj2, function(v) {
var start = v.MatchedObjectDescriptor.PositionStartDate;
var start_f = moment.utc(start).format('MMMM Do YYYY');
var end = v.MatchedObjectDescriptor.PositionEndDate;
var end_f = moment.utc(end).format('MMMM Do YYYY');
jts.push("<tr><td><strong><a href='" + v.MatchedObjectDescriptor.PositionURI + "'>" + v.MatchedObjectDescriptor.PositionID + ", " + v.MatchedObjectDescriptor.PositionTitle + "</a> »</strong></td><td>" + v.MatchedObjectDescriptor.JobGrade[0].Code + "-" + v.MatchedObjectDescriptor.UserArea.Details.LowGrade + " - " + v.MatchedObjectDescriptor.UserArea.Details.HighGrade + "</td><td>" + start_f + " - " + end_f + "</td><td>" + v.MatchedObjectDescriptor.UserArea.Details.WhoMayApply.Name + "</td></tr>");
//show table on success()
$('.job_table').css('display', 'block')
$('#no_message').css('display', 'none')
});
var ls = jts.join("")
$('.job_table tbody#live_jobs').html(ls);
console.log(ls)
});
});
来源:https://stackoverflow.com/questions/37392954/vulnerability-level-of-jquery-ajax-api-call-in-webpage