> > There's something significant behind the buzz, though. I really don't want > to read the announcement: "ATTN everyone using jQuery.ajax(). If you're > going to update your library or if you're linking to the latest on google > and it's updated FOR you without your knowledge, you MUST first go through > all of your existing code and explicitly choose a dataType. This is because > we have changed dataType's default behavior which now makes it possible > that javascript could be eval'd undesirably. Also, if you depended upon an > xml/html only guess in your app design, well then I guess you're out of > luck for now." > > Obviously I'm no good at writing announcements but this is the gist of why > we need a new setting to allow guess-anything/auto-detect or whatever we > call it. >
Well, let's take the original request here: it was about having ajax automatically fetch json data using the content-type header. Letting the server decide whether javascript code should be executed or not client-side is wrong no matter how you look at it. It should be a conscious decision from the developpers (just like it is when dealing with <script /> embedded into html or jsonp requests). So I'm clearly against auto-fetching scripts (sorry that I totally forgot to say so earlier). Now we're left with pure json which is evald if there is no native JSON object client-side. Wouldn't it be feasible to regexp test the string before evaluation to avoid malicious code in that case? If so, there is strictly no reason not to allow auto-fetching feature for json dataType. For instance, http://code.google.com/p/jquery-json/ provides a secureEvalJSON method that makes some tests before evaluating the string expression. Seems to me like a good way to start. -- You received this message because you are subscribed to the Google Groups "jQuery Development" group. To post to this group, send email to jquery-...@googlegroups.com. To unsubscribe from this group, send email to jquery-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/jquery-dev?hl=en.
