That is a very good point. The cases when JSON is accepted from untrusted parties are rare, though, but theoretically possible (most cases I'm assuming is a webserver returning JSON from an AJAX call, where no third party is involved). If V8 is theoretically used for writing server-side web applications, I guess there would be a need for a way to avoid this type of injection attacks (similar to how current frameworks avoid SQL injection attacks from untrusted input).
- Simon 2008/10/9 Pete Gontier <[EMAIL PROTECTED]>: > In many situations, it's perfectly reasonably to pass JSON data to 'eval' > (or V8). However, if one accepts JSON from untrusted parties, one must > assume what is ostensibly JSON might actually be malicious JavaScript. The > "whole point of JSON" is really to be a compact/portable data format; the > fact that it has syntax and semantics which are a precise subset of > JavaScript is merely convenient. > > Pete Gontier <http://pete.gontier.org/> > > > On Oct 8, 2008, at 10:47 AM, Simon Ask Ulsnes wrote: > > Excuse me? > > The whole point of JSON is to be representing objects in valid > JavaScript syntax. If parsing JSON using V8's internal parser is too > slow for you, then it doesn't really make sense to use V8 at all. ;-) > > Besides, my example generates JSON. Ragel can only be used to parse it. > I'm not doubting that Ragel is an excellent state machine compiler, > but you're already using one compiler for your code, why not use the > same for your data, when you even have the luxury that your code and > your data is in the same format? > > - Simon > > 2008/10/8 <[EMAIL PROTECTED]>: > > > > On Sep 10, 3:04 pm, "Simon Ask Ulsnes" <[EMAIL PROTECTED]> wrote: > > It's not that hard to add, though. > > I did something like this: > > ... > > Rather than hacking some basic JSON support into V8 or your V8 > > application, I recommend that it be done the pro' way, using Ragel: > > http://www.complang.org/ragel/ > > Ragel's compiled state machines are blindingly fast, and hence so are > > the implementations of JSON of languages that use it: > > http://json.rubyforge.org/ > > http://modules.gotpike.org/module_info.html?module_id=43 > > I did some elementary benchmarking of JSON implementations a while > > back, and JSON in Ragel was in a class of its own. :-) > > Slowing down V8's lightning speed with a poor JSON would be so > > sad. ;-) > > Morgaine. > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ v8-users mailing list [email protected] http://groups.google.com/group/v8-users -~----------~----~----~----~------~----~------~--~---
