struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <d...@newfield.org>
Subject Re: Comments in JSON
Date Sun, 10 Jul 2011 02:43:59 GMT
On 7/9/11 2:36 PM, Christian Grobmeier wrote:
> - don't use javascript arrays to return as a json string

It really doesn't matter if it's an array or object, if it's valid json 
that the browser will attempt to execute it's vulnerable.

> - don't use GET as your method

I believe that would protect your data from this script tag attack vector.

> You mentioned to put everything into a js comment. This breaks the
> protocol definition and will cause jQuery to fail (and probably
> others).

If it's doing XHR, I'm certain you can insert a filter to make it work 
either way, but making the result configurable doesn't seem to be an 
unreasonable request.  I still suggest that the default behavior is to 
protect users' data.

> In addition a Struts json plugin should allow crossdomain ajax by
> default for POST only, GET should be enabled by user interaction.

The plugin doesn't care, it's the configuration that determines when you 
use the interceptor or result.

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message