commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Schaible <Joerg.Schai...@Elsag-Solutions.com>
Subject RE: [configuration] JSON format
Date Tue, 08 Apr 2008 09:42:28 GMT
Mario Ivankovits wrote:
> Hi!
>>> JSON is a subset of Javascript,
>>> so we can use a simple call "eval()" to parse the
> configuration file.
> Wouldn't that be dangerous for something like "script injection"?
> One might be able to pass in a faked JSON string with some
> code in there
> which will be executed on eval() then, no?

Yes. Additionally JSON does not allow any method calls, but calling eval will provide the
full JavaScript functionality. Therefore you will have to use a real JSON parser to read JSON
only (e.g. http://www.json.org/java/index.html).

- Jörg

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message