@John, I did not say it clearly, so I will do it now: I agree 100%
with no-compromise approach to "non-standard" (aka illegal) JSON
strings. It is only that in reality, there are well known and
(commercial) paid for RESTfull services, which return this wrong kind
of JSON. Especially this kind : " { look-ma-no-quotes : 1 }" is, it
seems, widespread. jQ 1.4 is at least resilient to this.
What is relevant is that other JSON issues , especially security one,
are (much) larger than jQuery indeed. They need to be ultimately re-
solved by W3C, IEEE, http://www.soa-standards.org/, etc ..., not
jQuery or any other JS library.
The best you can do is to document these issues.
What is especially worrying is that new kind of "AJAX" (not AJAX)
platforms are starting to appear, which just use the idea of JSON
string + HTTP, but without dom, JavaScript and browsers , and which
talk to proprietary server side "REST", (not REST). This is old news
with XML, but XML is not source of any programming language. JSON is
much more dangerous since it is source code, not document markup
language.
--DBJ
On Jan 7, 7:53 pm, John Resig <[email protected]> wrote:
> > That's all nice & dandy for json. But the "javascript getting executed
> > solely on server saying so" problem still remains. The fact you had to
> > change the synchronous request tests is a clear proof of the problem to me:
> > existing code will break (no issue if documented), existing code will face a
> > security hole (more problematic to say the least).
>
> I've already documented the change in the new 1.4 API docs. As I said
> before, the second issue is not any more of an issue then what is
> already happening with .load() - in fact I would say it's less of an
> issue then what happens with .load() since XSS attacks are far more
> likely to occur in raw HTML (which .load() deals with).
>
> --John
--
You received this message because you are subscribed to the Google Groups
"jQuery Development" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/jquery-dev?hl=en.
