Originally I had the following structure:
index.html file:
...
<script src="myfunctions.js" />
...
myfunctions.js file:
...
function one() {
....
}
function two() {
....
}
function three() {
....
}
That way I got over 2 500 lines of Javascirpt written but then I had to add a PHP variable to a function so I had to rename index.html to index.php, rename myfunctions.js to myfunctions.js.php and do the following changes:
index.php file:
...
<?php
include("myfunctions.js.php");
?>
...
myfunctions.js.php file:
<script>
...
function one() {
....
}
function two() {
....
}
function three() {
....
}
function four() {
var x = <?php echo $_conf['user_id'];?>
console.log(x);
}
</script>
I have achieved my purpose of using PHP variable in JavaScript but I have noticed that the web page in the browser started to show all the included function, i.e. if in the first case when I was looking at the page with a debug tool or by saving that page on a disk I saw just some little JavaScript code contained in index.html but now looking at or saving the index.php file I see all the functions from myfunctions.js.php visible. Of course the visible content didn't change but the actual output got 2 500 lines longer. Would that be a security problem? Should I avoid this way of showing a PHP variable in JavaScript or I shouldn't be concern about it and leave it how it is?
My concern is that in the second case all my functions gets open so a malicious user can see all the server-side PHP scripts names and required parameters which gives more ways to attack.