On Sun, Jun 27, 2010 at 1:46 PM, Robert Sayre <say...@gmail.com> wrote:
> On Sun, Jun 13, 2010 at 11:20 AM, Evan Gilbert <uid...@google.com> wrote:
> >
> >>
> >> Can you explain the XSS hole from parsing a random JSON string?
> >
> > Naive processor calls:
> > var href = document.location.href;
> > var jsonBlob = href.substring(href.indexOf('#'), href.length)
> > var userData = eval(jsonBlob);
> > This code would allow executing arbitrary code by sending a user a link,
> > which could, for example, steal your cookies on a site.
> > The fix is just a really complicated RegEx match
>
> I don't agree with this assessment.
What specifically don't you agree with? I agree that the RegEx match or a
library will fix the security hole.
The problem is that the insecure behavior - "eval(json)" - will just work,
is obvious for developers to try, and non-obvious why this is a security
hole.
> The fix is to use json2.js from
> json.org (which does indeed use a really complicated regex) if there
> is no global JSON object available in the browser. A global JSON
> object is available in IE8+, Firefox 3.5+, Safari 4.0.x+, and Chrome
> and Opera (don't have the versions handy).
> "Skate to where the puck is going, not to where it is." -- Wayne Gretzky
>
> --
>
> Robert Sayre
>
> "I would have written a shorter letter, but I did not have the time."
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
