- From: Elias Torres <elias@torrez.us>
- Date: Sat, 07 Oct 2006 15:45:47 -0400
- To: Ian Dickinson <ian.dickinson@hp.com>
- CC: Richard Newman <r.newman@reading.ac.uk>, SW-forum <semantic-web@w3.org>
Ian,
Well. A client does that if it trusts the source it's getting JSON from
i.e. your own application. Otherwise, you either use a parser [1] or
pass it through a regex [2] to make sure it's safe.
var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
eval('(' + text + ')');
-Elias
[1] http://www.json.org/json.js
[2] http://www.ietf.org/rfc/rfc4627.txt
Ian Dickinson wrote:
>
> Richard Newman wrote:
>> Because RDF/XML, SPARQL-XML, and turtle are great, but nothing beats
>>
>> var mine = eval ("(" + input + ")");
>>
>> in Javascript.
> Isn't that something of a glaring security hole? Passing an arbitrary
> string to eval seems to me to just invite compromises analogous to SQL
> injection attacks.
>
> Ian
>
> ___________________________________________________________________
> Ian Dickinson HP Labs, Bristol, UK mailto:ian.dickinson@hp.com
> http://www.hpl.hp.com/personal/Ian_Dickinson ph:+44-117-312-8796
>
>
>
Received on Saturday, 7 October 2006 19:46:03 UTC