Roan Kattouw wrote: > <snip> > If your backend wasn't already relying on JSON output, you could've > requested XML output instead and that would've worked just fine > without any security issues. Running stuff through IEContentAnalyzer > just so we can put a wrong MIME type on it (text/plain is not > appropriate for JSON, should be either application/json or > text/javascript) is a bad idea. I see you've already removed the > text/plain option, so it's now back to using text/javascript for > callbacks and application/json instead. >
I agree. IEContentAnalyzer is over the top especially since the escaped white-spaced json content plays nice with eval so there is no reason to make things more complicated. Just have to remember not to change the <pre> tag for jsonfm output ;) --michael _______________________________________________ Mediawiki-api mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
