commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hao Zheng" <volezh...@gmail.com>
Subject Re: [configuration] JSON format
Date Tue, 08 Apr 2008 12:33:49 GMT
yes, security is another issue. thanks for pointing that. just forget my idea.

On Tue, Apr 8, 2008 at 5:42 PM, Jörg Schaible
<Joerg.Schaible@elsag-solutions.com> wrote:
> Mario Ivankovits wrote:
>  > Hi!
>  >>> JSON is a subset of Javascript,
>  >>> so we can use a simple call "eval()" to parse the
>  > configuration file.
>  > Wouldn't that be dangerous for something like "script injection"?
>  > One might be able to pass in a faked JSON string with some
>  > code in there
>  > which will be executed on eval() then, no?
>
>  Yes. Additionally JSON does not allow any method calls, but calling eval will provide
the full JavaScript functionality. Therefore you will have to use a real JSON parser to read
JSON only (e.g. http://www.json.org/java/index.html).
>
>  - Jörg
>
>
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>  For additional commands, e-mail: dev-help@commons.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message