what does eval() do ?
jh3an
I know it is so naive question..
The following function contains eval() function:
function onJSONResponse()
{
if(checkReadyState(request, 'loading') == true)
{
eval("var response = ("+request.responseText+")");
}
}
what eval do ?
does it assign the value to variable response ?
why do we need to eval request.responseText ? because it would be
empty sometimes ?
why does it need parenthesis '(' and ')' in the eval code ? does it do
somethin' ?
Reinier Zwitserloot
eval is a javascript-only device. I suggest you google for it; it is
not relevant to GWT.
walden
Folke
not trust your source you can check the JSON for malicious code with a
regular expression first. RegExp+eval() is a lot faster than doing
this by hand.
See RFC 4627: 6. Security Considerations
http://www.ietf.org/rfc/rfc4627.txt
GWT's JSONParser uses eval().
Alex Rice
JSONObject, JSONArray, etc. Is it safe to assume these are not
running Javascript eval() when they parse JSON strings? I assume not,
but really don't have a clear concept of what's going on under the
hood. I assume it's a non-evaled kind of recursive descent parsing of
the JSON string. I am using JSON a lot from GWT Java code.
Thanks in advance!
Alex Rice
On Aug 21, 10:33 am, Folke <mess...@gmail.com> wrote:
> With eval() you can let the browser do the parsing of JSON. If you do
> not trust your source you can check the JSON for malicious code with a
> regular expression first. RegExp+eval() is a lot faster than doing
> this by hand.
>
Ian Petersen
> This brings up kind of tangential question: the GWT classes
> JSONObject, JSONArray, etc. Is it safe to assume these are not
> running Javascript eval() when they parse JSON strings? I assume not,
> but really don't have a clear concept of what's going on under the
> hood. I assume it's a non-evaled kind of recursive descent parsing of
> the JSON string. I am using JSON a lot from GWT Java code.
At the Google I/O conference at the end of May I asked this question.
The answer was that GWT's client-side JSON library eventually calls
eval() when it converts a string to a JSON value. The underlying
assumption, therefore, is that you're consuming JSON strings from a
trusted source. I expressed some concern at that because not everyone
is consuming trusted strings and I wasn't aware of any advance notice
that parsing JSON is a trusted code path in GWT. There was some talk
about changing the parse() method to be safe and introducing an
unsafeParse() that you could invoke on trusted strings to gain some
speed benefits. I don't know if any of that talk turned into code.
Ian
Folke
http://code.google.com/p/google-web-toolkit/source/browse/releases/1.5/user/src/com/google/gwt/json/client
Thomas Broyer
On 22 août, 05:29, "Ian Petersen" <ispet...@gmail.com> wrote:
http://code.google.com/p/google-web-toolkit/source/browse/trunk/user/src/com/google/gwt/json/client/JSONParser.java#43
but at least it's now documented:
http://google-web-toolkit-doc-1-5.googlecode.com/svn/javadoc/1.5/com/google/gwt/json/client/JSONParser.html#parse(java.lang.String)
(keep in mind that JSONValue are "wrapper" objects, and are
constructed "lasily as the structure is requested", as was documented
in 1.4:
http://google-web-toolkit.googlecode.com/svn/javadoc/1.4/com/google/gwt/json/client/JSONParser.html#parse(java.lang.String)
so JSOs are far more efficient, but they don't check object types,
contrary to JSONValue's isString(), isObject(), isArray(), etc.)
Also note that the JSON module has been enterly rewritten between 1.4
and 1.5.
Alex Rice
What is the best way to clean my JSON which is coming from a trusted
server, but has publicly input data in it (could have arbitrary
strings in it). I could search and replace and remove script tags and
semicolons, for instance.
Sorry if this thread is going off topic!
Thanks,
Alex
On Aug 22, 8:49 am, Thomas Broyer <t.bro...@gmail.com> wrote:
> It hasn't:http://code.google.com/p/google-web-toolkit/source/browse/trunk/user/...
> but at least it's now documented:http://google-web-toolkit-doc-1-5.googlecode.com/svn/javadoc/1.5/com/...)
> (keep in mind that JSONValue are "wrapper" objects, and are
> constructed "lasily as the structure is requested", as was documented
Ian Petersen
> What is the best way to clean my JSON which is coming from a trusted
> server, but has publicly input data in it (could have arbitrary
> strings in it). I could search and replace and remove script tags and
> semicolons, for instance.
There are two kinds of strings under discussion here: the overall JSON
data payload that is a "string", and then the string values embedded
within the data payload. If the payload is coming from a trusted
server, I don't think it matters if the embedded strings contain
user-controlled input, but someone else should check me here. My
logic is that the trusted server should be generating valid JSON, so
the embedded strings should be valid Javascript strings with properly
escaped quotes and newlines, and no illegal characters. Also, because
the server is trusted, it won't be generating object literals that
contain function definitions or invocations. I think, so long as you
don't try to interpret user-controlled strings as HTML, Javascript,
SQL, or anything else and remember that it's "just a string", you
should be OK. As far as I know, all the official GWT widgets will
sanitize incoming strings before displaying them *unless* you tell the
widget to interpret the string as HTML. So, for example, I _think_
the following is safe:
String userString = Window.prompt("Do your worst", "");
RootPanel.get().add(new Label(userString));
On the other hand, the following is dangerous:
String userString = Window.prompt("Do your worst", "");
RootPanel.get().add(new HTML(userString));
So, in summary, if the server generating the JSON can be trusted to
generate well-formed JSON, I think it's safe to pass that JSON to
eval() to convert the string into an object, regardless of the source
of the values within the JSON data. Once you've got an object on your
hands, though, then you need to be careful what you do with the data
within it.
Ian
Alex Rice
lot!
Alex
On Aug 22, 9:49 am, "Ian Petersen" <ispet...@gmail.com> wrote: