Catching up on my emails... On Tue, Dec 29, 2009 at 9:27 AM, Julian Aubourg <aubourg.jul...@gmail.com>wrote:
> If you're worried about your server sending malicious javascript, then only >> accept text/plain or text/xml (*even dataType: 'html' isn't safe since it >> executes script blocks*). >> > Good point. IMO auto-eval of json really becomes a problem, when the request uri is taken/generated from an unsafe source (or the destination script will "unpredictably" change the content-type through query-parameters from an unsafe source). For static uri/request parameters I do expect the web-developer to know what the server side scripts possibly responds. For cross-domain ajax requests I would tend to consider it as bug, if the developer does not specify a dataType and get unintended results. And with html and script blocks we already have the 'eval'-behavior (which I did not think of in my original post). So it looks to me that adding json would not change much, after all. My intent was not to say "We need to change that", but to point to this issue and ask "Have you thought about that?" If we come to the conclusion that this won't happen / make things worse (i.e. apart from what the developer already has to take care of wrt. ajax requests) for real-world applications, and maybe add a note to the documentation: "Always specify a dataType for unknown/untrusted content, because of possible script execution [even for html!]" -- that's fine with me, too. Tobias -- You received this message because you are subscribed to the Google Groups "jQuery Development" group. To post to this group, send email to jquery-...@googlegroups.com. To unsubscribe from this group, send email to jquery-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/jquery-dev?hl=en.
