- From: Jim Ley <jim.ley@gmail.com>
- Date: Fri, 17 Mar 2006 14:06:11 +0000
On 3/16/06, Gervase Markham <gerv at mozilla.org> wrote:
> Hallvord R M Steen wrote:
> > You are right, if no variables are created one can't see the data by
> > loading it in a SCRIPT tag. Are you aware of intranets/CMSes that use
> > this as a security mechanism?
>
> That's not actually right. I'm pretty sure this came across a public
> security list, so...
>
> You can override the constructor on the prototype of the Object object
> and get access to JSON objects before the JavaScript engine throws them
> away when it realises they don't get assigned to a variable.
>
> Or something like that, anyway. I can't remember exactly how it worked.
> But I'm pretty sure that it's true that you can get JSON data if it's
> not protected.
I can't reproduce this, in IE and Opera, there's no effect whatsover
playing with Object constructors, in Mozilla there is however it is
not called unless you have an expression:
{chicken:true} // doesn't call it.
donkey={chicken:true} // does call it.
Please can you provide more information on how raw JSON is available
from script elements?
Cheers,
Jim.
Received on Friday, 17 March 2006 06:06:11 UTC