XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
RE: [xml-dev] json v. xml

Hi.

> > JS (including JSON) can be included in the page using the 
> script tag or
> > a DOM equivalent created via JS in the page.  The source 
> from which the
> > script tag pulls a file full of JS source code can point to 
> any server.
> 
> Can this URL be dynamically created at runtime using more JavaScript?

Absolutely.  My assertion is that this is the first and most important point to do taint checking (or not use dynamic values in script source URLs at all).

> I'm not quite sure if it's possible, but I'm really tempted 
> to write a 
> proof of concept exploit that base64 encodes XML, stuffs it in JSON, 
> downloads it with JSON, and then deencodes it and passes it to an XML 
> parser for parsing.

I think this is a lot of work for a questionable payoff.  This hacker has a nice JavaScript worm going...

http://namb.la/popular/

> Is there anyway to simply load arbitrary binary or text 
> content from an 
> arbitrary network connection in JavaScript? For instance, by 
> setting an 
> iframe URL to point to it and then grabbing it? If so, I 
> could avoid the 
> need to preencode the XML in JSON completely. :-)

You can use the XmlHttpRequest method... you can also grab the contents of an iframe and as you posit this would bypass the XmlHttpRequest security restrictions and let you get arbitrary text content into a JS variable from an arbitrary URL.

There is a bunch of talk right now in youthful Ajax circles about solving the "problems" presented by the XmlHttpRequest security restrictions.

This guy talks about the reasons for it and mentions both the myspace worm and the article that diggs itself.

http://shiflett.org/archive/250

Client side security is going to get a lot crazier in the coming years.

---------->Nathan

> 
> -- 
> Elliotte Rusty Harold  elharo@metalab.unc.edu
> Java I/O 2nd Edition Just Published!
> http://www.cafeaulait.org/books/javaio2/
> http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/ca
> feaulaitA/
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS