Mario Ivankovits wrote:
> Hi!
>>> JSON is a subset of Javascript,
>>> so we can use a simple call "eval()" to parse the
> configuration file.
> Wouldn't that be dangerous for something like "script injection"?
> One might be able to pass in a faked JSON string with some
> code in there
> which will be executed on eval() then, no?

Yes. Additionally JSON does not allow any method calls, but calling eval will 
provide the full JavaScript functionality. Therefore you will have to use a 
real JSON parser to read JSON only (e.g. http://www.json.org/java/index.html).

- Jörg

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to