On Fri, Aug 21, 2009 at 11:20 AM, <[email protected]> wrote: > > http://codereview.appspot.com/104067/diff/4005/4008 > File features/src/main/javascript/features/core/json.js (right): > > http://codereview.appspot.com/104067/diff/4005/4008#newcode147 > Line 147: if (k.match('___$')) > this restriction wont be respected if window.JSON is defined. See above. > While this isnt strictly a security issue it it will put content you > dont want in the JSON output. Can you test this on Firefox 3.5/ Safari > 4?
I don't think this will be a major issue, but if it is we probably need to tame window.JSON directly anyway. I think window.JSON.stringify(___.copy(obj)); will do the trick. > > > http://codereview.appspot.com/104067/diff/4005/4006 > File > > java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/CajaContentRewriter.java > (right): > > http://codereview.appspot.com/104067/diff/4005/4006#newcode85 > Line 85: if (uri.getScheme().matches("^https?$")) { > no need for regex, case insensitive direct comparison is sufficient. > > http://codereview.appspot.com/104067/diff/4005/4006#newcode87 > Line 87: } else if ("javascript".equals(uri.getScheme())) { > should be case-insensitive. > > > http://codereview.appspot.com/104067 >
