Am 05.05.2010 20:01, schrieb Evan Gilbert:
On Wed, May 5, 2010 at 10:59 AM, Evan Gilbert <uid...@google.com <mailto:uid...@google.com>> wrote:On Wed, May 5, 2010 at 10:47 AM, Torsten Lodderstedt <tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> wrote: Even if not supported directly by the platform there are many JSON libraries available these days. It's not hard to add JSON support, but it's a factor in the choice. http://www.json.org/ lists 3 libraries for Objective-C alone. Moreover, the JSON documents we are discussing now are simple, something like { "access_token": "SlAV32hkKG", "expires_in": "3600", "refresh_token": "8xLOxBtZp8" } Parsing such a document is not a challenge even without library support. Per notes above - the client needs to do understand form encoding anyway. The client needs to parse the redirect_uri and also needs to generate form encoded requests.Also, for the User-Agent flow, parsing potentially untrusted JSON in JavaScript is difficult. The normal path of using eval() is unsafe and leads to XSS holes - you need to run regex matcher to verify that the JSON content has no executable code.
You are right, using eval to parse JSON is dangerous and thus as far as I understand, the recommended way is to use a JSON parser (aka native JSON support)?
regards, Torsten.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
