- Dec 28, 2005
> anyone (ok, maybe not anyone, but some ppl) can type
> the address bar and crap all over your web page, right?The specific problem is that you do not want to give a text from a 3rd
> so if it can be eval'd, the user can input it too, so whats the point?
> why not use eval?
> users can eval too!
> also, XML can be very unsafe too, depending on your implementation.
party data server the same authority as your own scripts. The eval
function unfortunately gives the visiting script too much authority.
The regExp in JSON.parse makes that harmless.
Ultimately, the user has (or should have) the ultimate authority over
what happens on their own equipment.
- << Previous post in topic Next post in topic >>