Ian, Well. A client does that if it trusts the source it's getting JSON from i.e. your own application. Otherwise, you either use a parser [1] or pass it through a regex [2] to make sure it's safe. var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test( text.replace(/"(\\.|[^"\\])*"/g, ''))) && eval('(' + text + ')'); -Elias [1] http://www.json.org/json.js [2] http://www.ietf.org/rfc/rfc4627.txt Ian Dickinson wrote: > > Richard Newman wrote: >> Because RDF/XML, SPARQL-XML, and turtle are great, but nothing beats >> >> var mine = eval ("(" + input + ")"); >> >> in Javascript. > Isn't that something of a glaring security hole? Passing an arbitrary > string to eval seems to me to just invite compromises analogous to SQL > injection attacks. > > Ian > > ___________________________________________________________________ > Ian Dickinson HP Labs, Bristol, UK mailto:ian.dickinson@hp.com > http://www.hpl.hp.com/personal/Ian_Dickinson ph:+44-117-312-8796 > > >Received on Saturday, 7 October 2006 19:46:03 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:44:55 GMT