Create an Account
username: password:
 
  MemeStreams Logo

More on: X-JSON in Prototype
search
Home Agent Weblogs Social Network Post Help About

Acidus
Picture of Acidus
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Acidus's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
More on: X-JSON in Prototype
Topic: Technology 5:41 pm EST, Dec 29, 2006

Jello wrote:

Acidus wrote:

new Ajax.Request('?url=backend',{onSuccess:responseHandler});
var responseHandler = function(t) { json = eval(t.getResponseHeader('X-JSON'));

eval() is the WORST thing you can ever do in JavaScript and people who process JSON with eval() should be punched in the face.

Quoting from the great Douglas Crockford:

However, [eval()] can compile and execute any JavaScript program, so there can be security issues. The use of eval is indicated when the source is trusted. This is commonly the case in web applications when a web server is providing both the base page and the JSON data. There are cases where the source is not trusted. In particular, clients should never be trusted.

When security is a concern it is better to use a JSON parser. A JSON parser will only recognize JSON text and so is much safer:

var jsonObject = eval('(' + jsonString + ')');

You mean like that?

Ducks.

As Crockford (the man who invented JSON) states, eval give access to the full JavaScript compiler. Using eval to parse JSON can be attacked 2 ways:

1- You have a mashup or data from other sources that you cannot trust.
2- Unvalidated user input is placed inside the object being returned by JSON.

Consider receiving/processing a JSON object which is an Array of someone name.

["Alice", "Eve", "Bob"]

Eve makes her name ""]; alert('xss');//
Now what gets evaled is ["Alice", ""];alert('xss');//", "Bob"]

Eve has achieved code execution!

Once again something that an be solved if all user input is properly validated, included data from 3rd party sites.

However, the big reason I made this most is that Prototype (and thus Script.aculo.us) has a built in feature, to always eval the contents of an HTTP header! I doubt most people using the framework know this exists, and short of modifying the framework, it doesn't appear that you can turn it off.

At what point does a feature become a backdoor?

More on: X-JSON in Prototype

Thread [4]


  
 
Powered By Industrial Memetics		RSS2.0