XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] json v. xml

Nathan Young -X (natyoung - Artizen at Cisco) wrote:

> JS (including JSON) can be included in the page using the script tag or
> a DOM equivalent created via JS in the page.  The source from which the
> script tag pulls a file full of JS source code can point to any server.

Can this URL be dynamically created at runtime using more JavaScript?

> The fact that your page can easily get JS from untrusted sources but not
> XmlHttp content is bizzare as far as I'm concerned.  Changing browser
> policies to tighten the restrictions on the scrip tag is unlikely to
> happen.
> 

I'm not quite sure if it's possible, but I'm really tempted to write a 
proof of concept exploit that base64 encodes XML, stuffs it in JSON, 
downloads it with JSON, and then deencodes it and passes it to an XML 
parser for parsing.

Is there anyway to simply load arbitrary binary or text content from an 
arbitrary network connection in JavaScript? For instance, by setting an 
iframe URL to point to it and then grabbing it? If so, I could avoid the 
need to preencode the XML in JSON completely. :-)

-- 
´╗┐Elliotte Rusty Harold  elharo@metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS