Comments on: Conflating JSON with Javascript or why there is no “Safe JSON” http://robubu.com/?p=25 the weblog of Rob Yates Sat, 14 Aug 2010 17:34:10 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Gastromancer http://robubu.com/?p=25&cpage=1#comment-6987 Gastromancer Thu, 05 Apr 2007 01:11:33 +0000 http://robubu.com/?p=25#comment-6987 Isn't the moral of this tale that "eval is not a demarshaller"? I mean, c'mon -- couldn't the Moz/IE/ECMAScript foks add a "parse" builtin function to the standard, that didn't eval? Perhaps one that only accepted the constant-expression part of the Javascript grammar? Isn’t the moral of this tale that “eval is not a demarshaller”? I mean, c’mon — couldn’t the Moz/IE/ECMAScript foks add a “parse” builtin function to the standard, that didn’t eval? Perhaps one that only accepted the constant-expression part of the Javascript grammar?

]]> By: Patrick Hunlock http://robubu.com/?p=25&cpage=1#comment-5156 Patrick Hunlock Sun, 11 Mar 2007 06:31:26 +0000 http://robubu.com/?p=25#comment-5156 If you read John Resig's article "Native JSON support is required" ( http://ejohn.org/blog/native-json-support-is-required/ ) you'll see that we're just on the cusp of JSON being very mainstream. The next generation of browsers will have cross-domain support for json and it's implied in the spec that the data will be processed by the browser and placed into a javascript object meaning you won't need to write a javascript serializer or pass the json data through eval (and we all know that i is masquerading as an a in that word). So like it or hate it, json's position in web-applications is only going to get stronger over the coming year. The standards are in place and the browsers are lining up to support it and I think in the end it will be a good thing, finally allowing data to be retrieved cross domain safely and securely for both the client and server. If you read John Resig’s article “Native JSON support is required” ( http://ejohn.org/blog/native-json-support-is-required/ ) you’ll see that we’re just on the cusp of JSON being very mainstream. The next generation of browsers will have cross-domain support for json and it’s implied in the spec that the data will be processed by the browser and placed into a javascript object meaning you won’t need to write a javascript serializer or pass the json data through eval (and we all know that i is masquerading as an a in that word).

So like it or hate it, json’s position in web-applications is only going to get stronger over the coming year. The standards are in place and the browsers are lining up to support it and I think in the end it will be a good thing, finally allowing data to be retrieved cross domain safely and securely for both the client and server.

]]> By: Lenny http://robubu.com/?p=25&cpage=1#comment-5154 Lenny Sun, 11 Mar 2007 05:50:18 +0000 http://robubu.com/?p=25#comment-5154 As I see it, the takeaway from all this is that the root of any private JSON document should be an Object, never an Array. {...}, when not wrapped in parentheses, is interpreted as a code block rather than an object literal, so executing it will fail as a parse error. Wrapping in parentheses isn't valid JSON, anyway, so don't do it and you should be safe. Like you said, it's not a Javascript program. [...], the other valid root, is a Javascript program, and is as vulnerable as ever. Prescription: don't start your JSON doc with [, and don't deviate from the spec with things like parentheses. As I see it, the takeaway from all this is that the root of any private JSON document should be an Object, never an Array.

{…}, when not wrapped in parentheses, is interpreted as a code block rather than an object literal, so executing it will fail as a parse error. Wrapping in parentheses isn’t valid JSON, anyway, so don’t do it and you should be safe. Like you said, it’s not a Javascript program.

[...], the other valid root, is a Javascript program, and is as vulnerable as ever.

Prescription: don’t start your JSON doc with [, and don’t deviate from the spec with things like parentheses.

]]> By: Rob Yates http://robubu.com/?p=25&cpage=1#comment-5138 Rob Yates Sat, 10 Mar 2007 21:35:46 +0000 http://robubu.com/?p=25#comment-5138 XML only for the first release, in the form of Atom Feeds and the Atom Publishing Protocol. XML only for the first release, in the form of Atom Feeds and the Atom Publishing Protocol.

]]> By: Patrick Mueller http://robubu.com/?p=25&cpage=1#comment-5136 Patrick Mueller Sat, 10 Mar 2007 19:48:06 +0000 http://robubu.com/?p=25#comment-5136 "connections will NOT be offering a JSON api." I assume you mean that JSON is not a data format that connections APIs will accept as input, or generate as output. That's too bad. XML only? YAML, perhaps? “connections will NOT be offering a JSON api.” I assume you mean that JSON is not a data format that connections APIs will accept as input, or generate as output. That’s too bad. XML only? YAML, perhaps?

]]>