Loading ...
Sorry, an error occurred while loading the content.

Re: org.json.java

Expand Messages
  • Douglas Crockford
    ... That is a serious problem when using a naked eval. So json.js contains this step: text = text.replace(cx, function (a) { return u + ( 0000 +
    Message 1 of 7 , Jul 3, 2008
    View Source
    • 0 Attachment
      --- In json@yahoogroups.com, "Tyler Close" <tyler.close@...> wrote:
      >
      > On Thu, Jul 3, 2008 at 8:31 AM, Douglas Crockford <douglas@...> wrote:
      > > So far this hasn't appeared to be a problem. I haven't seen
      > > applications flinging around a lot of the Cf characters that get
      > > deleted by Firefox before eval.
      >
      > I'd be more worried about web apps that accept user input and so could
      > be made to traffic in Cf characters without having thought about it. A
      > tricky user might then be able to exploit the fact that strings
      > silently change value when being passed back and forth by the
      > application.

      That is a serious problem when using a naked eval. So json.js contains
      this step:

      text = text.replace(cx, function (a) {
      return '\\u' + ('0000' +
      (+(a.charCodeAt(0))).toString(16)).slice(-4);
      });

      It converts the flimsy characters to escape sequences before eval so
      that they are preserved.
    Your message has been successfully submitted and would be delivered to recipients shortly.