[
https://issues.apache.org/jira/browse/SLING-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13098075#comment-13098075
]
Justin Edelson commented on SLING-2206:
---------------------------------------
The gmail link also describes a JSONP style response. As far as I know, JSON
arrays are no longer evaluated when they are returned from a script tag by
modern browsers.
> Preventing the Execution of Unauthorized Script in JSON
> -------------------------------------------------------
>
> Key: SLING-2206
> URL: https://issues.apache.org/jira/browse/SLING-2206
> Project: Sling
> Issue Type: New Feature
> Components: Servlets
> Reporter: Antonio Sanso
> Priority: Minor
>
> For an explanation of the security problem please check [0].
> To see how for example Gmail solves the problem refer to [1]
> I think that would be good to have this feature to be configurable (on by
> default). I would personally opt for adding the while(1); solution (that is
> the same Google use).
> .
> [0]
> http://labs.adobe.com/technologies/spry/samples/data_region/JSONParserSample.html
> [1] http://msujaws.wordpress.com/2011/02/28/xss-prevention-in-gmail/
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
