[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Re: [xml-dev] json v. xml
- From: Elliotte Harold <elharo@metalab.unc.edu>
- To: "Nathan Young -X (natyoung - Artizen at Cisco)" <natyoung@cisco.com>
- Date: Fri, 05 Jan 2007 16:01:01 -0500
Nathan Young -X (natyoung - Artizen at Cisco) wrote:
> JS (including JSON) can be included in the page using the script tag or
> a DOM equivalent created via JS in the page. The source from which the
> script tag pulls a file full of JS source code can point to any server.
Can this URL be dynamically created at runtime using more JavaScript?
> The fact that your page can easily get JS from untrusted sources but not
> XmlHttp content is bizzare as far as I'm concerned. Changing browser
> policies to tighten the restrictions on the scrip tag is unlikely to
> happen.
>
I'm not quite sure if it's possible, but I'm really tempted to write a
proof of concept exploit that base64 encodes XML, stuffs it in JSON,
downloads it with JSON, and then deencodes it and passes it to an XML
parser for parsing.
Is there anyway to simply load arbitrary binary or text content from an
arbitrary network connection in JavaScript? For instance, by setting an
iframe URL to point to it and then grabbing it? If so, I could avoid the
need to preencode the XML in JSON completely. :-)
--
Elliotte Rusty Harold elharo@metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
