Re: Why JSON?

Ian,

Well. A client does that if it trusts the source it's getting JSON from
i.e. your own application. Otherwise, you either use a parser [1] or
pass it through a regex [2] to make sure it's safe.

      var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
             text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
         eval('(' + text + ')');

-Elias

[1] http://www.json.org/json.js
[2] http://www.ietf.org/rfc/rfc4627.txt

Ian Dickinson wrote:
> 
> Richard Newman wrote:
>> Because RDF/XML, SPARQL-XML, and turtle are great, but nothing beats
>>
>> var mine = eval ("(" + input + ")");
>>
>> in Javascript.
> Isn't that something of a glaring security hole? Passing an arbitrary
> string to eval seems to me to just invite compromises analogous to SQL
> injection attacks.
> 
> Ian
> 
> ___________________________________________________________________
> Ian Dickinson   HP Labs, Bristol, UK    mailto:ian.dickinson@hp.com
> http://www.hpl.hp.com/personal/Ian_Dickinson    ph:+44-117-312-8796
> 
> 
> 

Received on Saturday, 7 October 2006 19:46:03 UTC