accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (ACCUMULO-4590) Use JSON.parse instead of eval on client side javascript
Date Wed, 22 Feb 2017 04:22:44 GMT

     [ https://issues.apache.org/jira/browse/ACCUMULO-4590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Josh Elser updated ACCUMULO-4590:
---------------------------------
    Description: 
Right now we rely on "eval" to decode json results in the monitor display:

[vis.js|https://github.com/apache/accumulo/blob/master/server/monitor/src/main/resources/web/vis.js#L85]

{code}
function handleNewData() {
  if (xmlhttp.readyState!=4) {
    return;
  }
  if (xmlhttp.status!=200 || xmlhttp.responseText==null) {
    xmlReturned = true;
    return;
  }
  var newstats = eval('(' + xmlhttp.responseText + ')');
{code}

We should instead use JSON.parse

  was:
Right now we rely on "eval" to decode json results in the monitor display:

[vis.js|
https://github.com/apache/accumulo/blob/master/server/monitor/src/main/resources/web/vis.js#L85]

{code}
function handleNewData() {
  if (xmlhttp.readyState!=4) {
    return;
  }
  if (xmlhttp.status!=200 || xmlhttp.responseText==null) {
    xmlReturned = true;
    return;
  }
  var newstats = eval('(' + xmlhttp.responseText + ')');
{code}

We should instead use JSON.parse


> Use JSON.parse instead of eval on client side javascript
> --------------------------------------------------------
>
>                 Key: ACCUMULO-4590
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4590
>             Project: Accumulo
>          Issue Type: Bug
>          Components: monitor
>    Affects Versions: 1.6.6, 1.7.2, 1.8.0, 2.0.0
>            Reporter: Sean Busbey
>              Labels: security
>
> Right now we rely on "eval" to decode json results in the monitor display:
> [vis.js|https://github.com/apache/accumulo/blob/master/server/monitor/src/main/resources/web/vis.js#L85]
> {code}
> function handleNewData() {
>   if (xmlhttp.readyState!=4) {
>     return;
>   }
>   if (xmlhttp.status!=200 || xmlhttp.responseText==null) {
>     xmlReturned = true;
>     return;
>   }
>   var newstats = eval('(' + xmlhttp.responseText + ')');
> {code}
> We should instead use JSON.parse



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message