[
https://issues.apache.org/jira/browse/SLING-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13107995#comment-13107995
]
Antonio Sanso commented on SLING-2206:
--------------------------------------
A n alternative JSON output than the one already proposed (namely adding
while(1);) would be having this format
{
"data": [
{
...
},
{
...
}
]
}
rather than
[
{
...
},
{
...
}
]
> Preventing the Execution of Unauthorized Script in JSON
> -------------------------------------------------------
>
> Key: SLING-2206
> URL: https://issues.apache.org/jira/browse/SLING-2206
> Project: Sling
> Issue Type: New Feature
> Components: Servlets
> Reporter: Antonio Sanso
> Priority: Minor
>
> For an explanation of the security problem please check [0].
> To see how for example Gmail solves the problem refer to [1]
> I think that would be good to have this feature to be configurable (on by
> default). I would personally opt for adding the while(1); solution (that is
> the same Google use).
> .
> [0]
> http://labs.adobe.com/technologies/spry/samples/data_region/JSONParserSample.html
> [1] http://msujaws.wordpress.com/2011/02/28/xss-prevention-in-gmail/
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
