Return-Path: Delivered-To: apmail-commons-dev-archive@www.apache.org Received: (qmail 95508 invoked from network); 8 Apr 2008 12:34:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Apr 2008 12:34:22 -0000 Received: (qmail 21089 invoked by uid 500); 8 Apr 2008 12:34:21 -0000 Delivered-To: apmail-commons-dev-archive@commons.apache.org Received: (qmail 20767 invoked by uid 500); 8 Apr 2008 12:34:20 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Jakarta Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 20758 invoked by uid 99); 8 Apr 2008 12:34:20 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Apr 2008 05:34:20 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of volezheng@gmail.com designates 209.85.162.177 as permitted sender) Received: from [209.85.162.177] (HELO el-out-1112.google.com) (209.85.162.177) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Apr 2008 12:33:37 +0000 Received: by el-out-1112.google.com with SMTP id s27so1436004ele.1 for ; Tue, 08 Apr 2008 05:33:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=AcGLVtW2WDJAEvEjiPZC/a5ji0mfk25Yc3gX0O8/1WM=; b=kUuYudpezVbtyPN7XqZ/rkLLInztUGpZJtge2FvMbmawtlTJwoJU+wIgVm/BwKc0lJTE8lRHIHsLhRdUgwXmLXNJ1I+K0/gzylNlZ3GP1OYJwUoOeHenpebaGTxsdXerTiN9wigSUEr/+9Nj/NzCRMYP0638uWgHQTztxdxwliE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PdfPEQka9p5OeL73eRMmjDQyjjKEnamiLhBIqrbdUBL6iAKOKCKNphGxlyxdomARCvUphWO7xpeny0spKOpKnItxttJJePRMqaQ/R/JPB761zDmV/EEBz8RJ1FQSUgOjzZ337rsBYOXboWeLNRg6wAEh5DpM7QPYqOLNjfb8Eyc= Received: by 10.114.95.1 with SMTP id s1mr7347790wab.99.1207658029664; Tue, 08 Apr 2008 05:33:49 -0700 (PDT) Received: by 10.115.74.14 with HTTP; Tue, 8 Apr 2008 05:33:49 -0700 (PDT) Message-ID: Date: Tue, 8 Apr 2008 20:33:49 +0800 From: "Hao Zheng" To: "Jakarta Commons Developers List" Subject: Re: [configuration] JSON format In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <47FB3ACF.6070001@apache.org> <47FB3BD1.90701@ops.co.at> X-Virus-Checked: Checked by ClamAV on apache.org yes, security is another issue. thanks for pointing that. just forget my id= ea. On Tue, Apr 8, 2008 at 5:42 PM, J=F6rg Schaible wrote: > Mario Ivankovits wrote: > > Hi! > >>> JSON is a subset of Javascript, > >>> so we can use a simple call "eval()" to parse the > > configuration file. > > Wouldn't that be dangerous for something like "script injection"? > > One might be able to pass in a faked JSON string with some > > code in there > > which will be executed on eval() then, no? > > Yes. Additionally JSON does not allow any method calls, but calling eval= will provide the full JavaScript functionality. Therefore you will have to= use a real JSON parser to read JSON only (e.g. http://www.json.org/java/in= dex.html). > > - J=F6rg > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org > For additional commands, e-mail: dev-help@commons.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org For additional commands, e-mail: dev-help@commons.apache.org