XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Maximally Consumable Data

I agree that the JSON does not need to be eval'ed, but I think it
probably still would end up being a security risk that you can
potentially, from the client, access data that is not from the server
that is serving your application.

Cheers,
Bryan Rasmussen

On Mon, Apr 7, 2008 at 2:23 PM, Costello, Roger L. <costello@mitre.org> wrote:
> Hi Rob,
>
>
>  > But, you have to 'eval' it making a
>  > potential security threat.
>
>  In the book, Bulletproof Ajax, by Jeremy Keith, he says (p. 87):
>
>  "In order to extract the contents of a JSON object, it must be
>  evaluated.  The eval function is powerful, and potentially dangerous.
>  If you're retrieving JSON data from a third party that isn't entirely
>  trustworthy, it could contain some malicious JavaScript code that will
>  be executed with eval.  For this reason Douglas Crockford has written a
>  JSON parser that will parse only properties, ignoring any methods
>  (http://www.json.org/js.html)."
>
>  /Roger
>
>
>
>  _______________________________________________________________________
>
>  XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>  to support XML implementation and development. To minimize
>  spam in the archives, you must subscribe before posting.
>
>  [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>  Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>  subscribe: xml-dev-subscribe@lists.xml.org
>  List archive: http://lists.xml.org/archives/xml-dev/
>  List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS