Honestly, there's not a whole bunch you could do with JSON that's
insecure. The entire meaning of JSON is Javascript Object Notation.
All it means is, if you were to type a string of json out within a
script tag, it would be a Javascript object.
var json = {success: true, name: 'Some Customer', quantity: 8};
If you received this via an AJAX call and force processing as JSON
(i.e. using $.getJSON or $.post('url.php', function(data){},
'json');), then it can basically be trusted to come out only as JSON.
That being said, it sounds like you're doing something which is not
JSON, but rather JavaScript being transfered over AJAX.
When you said:
>ok and thats safe for things like a sting $("#cart_info").fadeIn
> (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> getted from JSON?
You are describing the perfect example of how not to use JSON. If you
allow for this kind of processing to occur in a json string, you open
a pretty huge security door, and anyone who can get malicious JS into
your page can do anything from making your page appear blank,
redirecting to a phising page, or simply just start opening popups
with a bunch of porn.
The simplest way to do it is to limit returns, and properly process
your javascript. Ideally, you'd so something like:
$.get('url.php', function(data){
if (data.success) fadeCart(500);
}, 'json');
function fadeCart(){
var cart = $('#cart_info').fadeIn(500);
setTimeout(function(){cart.fadeOut(500);}, 2000);
}
On Jan 29, 11:38 am, Stephan Veigl <stephan.ve...@gmail.com> wrote:
> If you are trying to send JavaScript via AJAX that's not JSON. JSON is
> about data only (see:http://json.org/), and that's exactly what makes
> secureEvalJSON() secure. This function checks that there is nothing
> else in your JSON except data, especially no JavaScript commands.
> QUOTE: "secureEvalJSON: Converts from JSON to Javascript, but does so
> while checking to see if the source is actually JSON, and not with
> other Javascript statements thrown in."
>
> If your question is: How secure is it to transfer JavaScript via AJAX?
> Then the answer depends on how secure is your channel, how confident
> are you that the data are really from the expected source and how much
> do you trust your source.
>
> For the first shot I would say, that it is insecure by default.
> However it depends on your application. Most web pages are loaded over
> an insecure channel and from an unidentified source, and we live quite
> well with it - as long as it's not my net banking page or an online
> shop.
> But from your example, I guess you are talking exactly about an online
> shop - than you could use https, this would eliminate the network
> questions, at least.
>
> by(e)
> Stephan
>
> 2009/1/29 Trend-King <i...@trend-king.de>:
>
>
>
> > ok thats right but $.ajax() also do that so my problem is how safe it
> > is to pass <script></script> through JSON and the append it to the DOM
> > and it will be executed
>
> > On 29 Jan., 15:13, jQuery Lover <ilovejqu...@gmail.com> wrote:
> >> Reading the plugin homepage it does not. It only encodes and decodes
> >> JSON or am I missing anything?
>
> >> ----
> >> Read jQuery HowTo Resource - http://jquery-howto.blogspot.com
>
> >> On Thu, Jan 29, 2009 at 6:57 PM, Trend-King <i...@trend-king.de> wrote:
>
> >> > ok and thats safe for things like a sting $("#cart_info").fadeIn
> >> > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000);
> >> > getted from JSON?
>
> >> > On 29 Jan., 14:51, Stephan Veigl <stephan.ve...@gmail.com> wrote:
> >> >> hi,
>
> >> >> check out the secureEvalJSON() method of the json
> >> >> plugin.http://code.google.com/p/jquery-json/
>
> >> >> by(e)
> >> >> Stephan
>
> >> >> 2009/1/29 Trend-King <i...@trend-king.de>:
>
> >> >> > Hi there another question from my, how save is it eval() data getting
> >> >> > via JSON $.ajax() call
>
> >> >> > i want to get javascript data to be executed after JSON $.ajax() call.
>
> >> >> > or is there another way to do that?- Zitierten Text ausblenden -
>
> >> >> - Zitierten Text anzeigen -- Zitierten Text ausblenden -
>
> >> - Zitierten Text anzeigen -
