- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Tue, 19 May 2009 13:55:59 +0200
- To: Adam Connors <adamconnors@google.com>
- Cc: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>
Le mardi 19 mai 2009 à 12:44 +0100, Adam Connors a écrit : > * If the gap hasn't closed I propose that we change this BP to state > that the preferred option is to use eval() but only on trusted data > (either you know it came from your server or you have escaped any user > generated content). I think I would at least phrase it the other way around (i.e. the preferred option is JSON parsing, but you can get performance gains with eval() on some platforms if you're dealing with really trusted data), but even that sounds a bit scary to me. http://log.does-not-exist.org/archives/2007/12/03/2155_json_eval_owning_the_dashboard.html comes to my mind for instance... ["really trusted data" would mean data transfered over https, with full assurance that everything has been properly escaped, which is so easy to get wrong that making it a best practice seems really difficult to me] Dom
Received on Tuesday, 19 May 2009 11:56:26 UTC