- From: Elias Torres <elias@torrez.us>
- Date: Sat, 07 Oct 2006 15:45:47 -0400
- To: Ian Dickinson <ian.dickinson@hp.com>
- CC: Richard Newman <r.newman@reading.ac.uk>, SW-forum <semantic-web@w3.org>
Ian, Well. A client does that if it trusts the source it's getting JSON from i.e. your own application. Otherwise, you either use a parser [1] or pass it through a regex [2] to make sure it's safe. var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test( text.replace(/"(\\.|[^"\\])*"/g, ''))) && eval('(' + text + ')'); -Elias [1] http://www.json.org/json.js [2] http://www.ietf.org/rfc/rfc4627.txt Ian Dickinson wrote: > > Richard Newman wrote: >> Because RDF/XML, SPARQL-XML, and turtle are great, but nothing beats >> >> var mine = eval ("(" + input + ")"); >> >> in Javascript. > Isn't that something of a glaring security hole? Passing an arbitrary > string to eval seems to me to just invite compromises analogous to SQL > injection attacks. > > Ian > > ___________________________________________________________________ > Ian Dickinson HP Labs, Bristol, UK mailto:ian.dickinson@hp.com > http://www.hpl.hp.com/personal/Ian_Dickinson ph:+44-117-312-8796 > > >
Received on Saturday, 7 October 2006 19:46:03 UTC