This has worried me also.
The problem is that the json load could be included in a rogue web
page by using a <script> tag. Since the author of this page has total
control of what he will display he can subvert the javascript
interpreter to run whatever he like when the json object is executed
(changing the array or object constructor).
There are two solutions to this problem, one requires that the client
side to prove that he actually knows the cookie by embedding some part
of it in the URL of the request and denying people who don't know.
Since Mochikit is not concern with the server side this does not
really apply here.
The second solution implies that JSON should not be directly runnable,
by prefixing it with a 'while(1)' or commenting the whole thing for
instance would be enough. But motchikit makes this hard by providing a
simple, very simple, to use "loadJSONDoc()" function.
I am a person who cares a lot with security, and if I were in charge
of motchikit I would change the definition of the default JSONDoc used
by kit to be a commented out javascript and would change the
evalJSONRequest function to uncomment the data before it evaluate it.
The problem is that this would break current behavior, in my opinion
this is not bad, because it is simple enough to implement this on
whatever server-side application you have and would also force the
applications to use a more secure form of JSON.
Another way is to call this new form of JSON something else like SJSON
(secure json?) or CJSON (Commented JSON, witch is more honest since
we can't know if this is 100% secure anyway) and create a
evalCJSONRequest and loadCJSONDoc. This way it would not break the
current insecure way of doing things but would give simple tools to
people that want security on their sites to operate.
My opinion is that the fisrt option is the best, I made a quick hack
that do just that (I don't have the time to test it right now). the
diff to svn version is posted bellow :
Index: Async.js
===================================================================
--- Async.js (revision 1278)
+++ Async.js (working copy)
@@ -217,7 +217,9 @@
MochiKit.Base.update(MochiKit.Async, {
/** @id MochiKit.Async.evalJSONRequest */
evalJSONRequest: function (/* req */) {
- return eval('(' + arguments[0].responseText + ')');
+ var re = new RegExp("^\s/\*(.*)\*/\s*$");
+ var json = arguments[0].responseText.replace(re, "$1");
+ return eval('(' + json + ')');
},
/** @id MochiKit.Async.succeed */
===================================================================
On Apr 3, 6:35 am, "troels knak-nielsen" <[EMAIL PROTECTED]> wrote:
> This might be of interest.
>
> http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hi...
>
> --
> troels
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"MochiKit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/mochikit?hl=en
-~----------~----~----~----~------~----~------~--~---
