yes, security is another issue. thanks for pointing that. just forget my idea.
On Tue, Apr 8, 2008 at 5:42 PM, Jörg Schaible <[EMAIL PROTECTED]> wrote: > Mario Ivankovits wrote: > > Hi! > >>> JSON is a subset of Javascript, > >>> so we can use a simple call "eval()" to parse the > > configuration file. > > Wouldn't that be dangerous for something like "script injection"? > > One might be able to pass in a faked JSON string with some > > code in there > > which will be executed on eval() then, no? > > Yes. Additionally JSON does not allow any method calls, but calling eval > will provide the full JavaScript functionality. Therefore you will have to > use a real JSON parser to read JSON only (e.g. > http://www.json.org/java/index.html). > > - Jörg > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
