Re: [xml-dev] Maximally Consumable Data

["bryan rasmussen" <rasmussen.bryan@gmail.com>]

I agree that the JSON does not need to be eval'ed, but I think it
probably still would end up being a security risk that you can
potentially, from the client, access data that is not from the server
that is serving your application.

Cheers,
Bryan Rasmussen

On Mon, Apr 7, 2008 at 2:23 PM, Costello, Roger L. <costello@mitre.org> wrote:
> Hi Rob,
>
>
>  > But, you have to 'eval' it making a
>  > potential security threat.
>
>  In the book, Bulletproof Ajax, by Jeremy Keith, he says (p. 87):
>
>  "In order to extract the contents of a JSON object, it must be
>  evaluated.  The eval function is powerful, and potentially dangerous.
>  If you're retrieving JSON data from a third party that isn't entirely
>  trustworthy, it could contain some malicious JavaScript code that will
>  be executed with eval.  For this reason Douglas Crockford has written a
>  JSON parser that will parse only properties, ignoring any methods
>  (http://www.json.org/js.html)."
>
>  /Roger
>
>
>
>  _______________________________________________________________________
>
>  XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>  to support XML implementation and development. To minimize
>  spam in the archives, you must subscribe before posting.
>
>  [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>  Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>  subscribe: xml-dev-subscribe@lists.xml.org
>  List archive: http://lists.xml.org/archives/xml-dev/
>  List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>
>