By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,635 Members | 2,188 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,635 IT Pros & Developers. It's quick & easy.

JSON data format

P: n/a
I'm writing my first json/ajax code and I'm having a hard time wrapping
my mind around security issues.

I'm thinking of a json response that would look like this:

{"data":[
{"name":"name1","street":"street1","zip":["zip1","zip2","zip3"]}
,{"name":"name2","street":"street2"}
],
"instructions":{"function_to_execute":"some_functi on"}
}

and would be processed like this:

ajax=eval('(' + AJAX.responseText + ')');

Now, I've been reading up on json but I can't quite make any sense out
of what the problem is. Is it accessing data on the server, or only
accessing data on the browser?

Is this a problem because of third party ads or extras that may be on
the page?

At the moment I'm just sending color and formatting information but I
suppose I'll want to do more later

Jeff
Feb 21 '08 #1
Share this Question
Share on Google+
1 Reply


P: n/a
On Thu, 21 Feb 2008 02:09:56 -0500, Jeff wrote:
ajax=eval('(' + AJAX.responseText + ')');

Now, I've been reading up on json but I can't quite make any sense out
of what the problem is. Is it accessing data on the server, or only
accessing data on the browser?
The security issue:

AJAX.responseText -can- contain executable code that eval will happily
run.

(For example, someone with the ability to modify a product description
could change the description to executable code that will look for a
customer filling out credit card information on a shopping card and
submit that data somewhere else.)

Some folks prefer to avoid eval entirely and decode JSON manually, while
others are content to check out the JSON response and reject it if they
find anything funky.

Check this out for an example of the second approach. To the best of my
knowledge, this is regarded as secure.

<URL: http://www.json.org/json2.js >

Feb 21 '08 #2

This discussion thread is closed

Replies have been disabled for this discussion.