On Tue, Jun 29, 2010 at 5:53 AM, Evan Gilbert <uid...@google.com> wrote: > > > What specifically don't you agree with? I agree that the RegEx match or a > library will fix the security hole. > The problem is that the insecure behavior - "eval(json)" - will just work, > is obvious for developers to try, and non-obvious why this is a security > hole.
I disagree that developers will blindly eval things to see if they can parse. They're most likely to use a JSON library or the JSON functionality of their favorite JS library. All of these will be safe. If they're the kind of developer who will start evaling strings send from the server then there's not much hope of their application being secure, regardless of OAuth. Ian -- Ian McKellar <http://ian.mckellar.org/> i...@mckellar.org: email | jabber | msn ianloic: flickr | aim | yahoo | skype | linkedin | etc. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
