Re: [Catalyst] implementing ajax

Jonathan Rockway Wed, 12 Mar 2008 09:13:02 -0700

* On Wed, Mar 12 2008, Matt Pitts wrote:
> The main reason against JSON for me is security. Something that can be
> eval'd is very dangerous and I'm sure we're all aware of the cross-site
> vulnerabilities that take advantage of JSON returned data.


Don't parse JSON with eval.  Use a parser.  (How do you think Perl
parses JSON?)

It's a code vs. data issue.  Yes, evalling code is dangerous.  So don't
do that.  Treat your data as data and you won't have a problem.

Regards,
Jonathan Rockway

-- 
print just => another => perl => hacker => if $,=$"

_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] implementing ajax

Reply via email to