struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <>
Subject Re: Comments in JSON
Date Sun, 10 Jul 2011 17:40:12 GMT
On 7/10/11 4:34 AM, Christian Grobmeier wrote:
> Maybe there are other exploits, but only know what you sent as links.
> And those are saying you need a JSON array because JSON objects are
> not valid js statements.

You clearly didn't read all the links I included, or do your own search 
as I suggested.  The following statements are from another page in that 
short list of links I included:

"Yesterday, I blogged about how to steal data from JSON by overriding 
the Array constructor. Today, we break into Objects too."
"So now you can steal data from any JSON object"

> I just checked:
> jQuery does XHR (wrapped in jqXHR object), but I would not have a clue
> how I could remove that comments.

Then maybe you should find a clue.  JavaScript is an incredibly dynamic 

> It is a more philosphical debatte.

Agreed.  The core of the debate are who are the "users" that we as 
framework developers should be protecting.  I claim that they are the 
people using the applications built using the framework, not the people 
developing those applications.  You are free to develop insecure tools 
for those users using this framework if you so choose, but I want you to 
have to make a concrete decision to do so.  Your statement "If I care, I 
can always read the security docs of Struts." illustrates that there are 
plenty of developers that won't bother to read the docs unless something 
isn't working as they expect, and therefore if we default to an insecure 
mechanism, their users' data will be insecure and they won't know 
anything about it, and at the end of the day the framework will get 
blamed for it.

> you should write a page about it

I will not claim that the documentation of this "feature" exists or is 
clear, but that is a separate question than that of how it should 
behave.  Struts is an open source project.  If you think there should be 
a page that doesn't yet exist, please write it and contribute it.

> Is the configuration "POST" or "GET" by default?

The configuration of your struts.xml which specifies the interceptors 
and result types that your actions will use does not by default include 
json.  If you want to add in those interceptors or results, you should 
learn how they work, and configure them appropriately.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message