Loading ...
Sorry, an error occurred while loading the content.

Output escaping/stored escaping

Expand Messages
  • Dennis Gearon
    Wonder about escaping characters using a JSON API. JSON isn t JUST for browsers obviously, (moblie apps or direct B2B) would be the starting list for other
    Message 1 of 7 , Feb 25, 2010
    • 0 Attachment
      Wonder about escaping characters using a JSON API.

      JSON isn't JUST for browsers obviously, (moblie apps or direct B2B) would be the starting list for other uses). But XMLHttpRequests in browsers are a large portion of possible use scenarios.

      So - Is anyone escaping JSON content to prevent XSS from stored data? Are you storing it escaped?

      Dennis Gearon



      Signature Warning

      ----------------

      EARTH has a Right To Life,

      otherwise we all die.



      Read 'Hot, Flat, and Crowded'

      Laugh at http://www.yert.com/film.php

      --- On Thu, 2/25/10, Arthur Blake <arthur.blake@...> wrote:

      From: Arthur Blake <arthur.blake@...>
      Subject: Re: [json] Re: IE8 Native JSON Bug
      To: json@yahoogroups.com
      Date: Thursday, February 25, 2010, 12:59 PM







       









      Just saw this come across my automatic updates:



      http://support. microsoft. com/kb/976662



      <http://support. microsoft. com/kb/976662>Perhaps Microsoft has fixed the

      problem??



      On Tue, Jun 2, 2009 at 3:24 PM, Stephen M. McKamey <stephen@jsonfx. net>wrote:



      >

      >

      > Allen Wirfs-Brock suggested another work-around to the IE8 native JSON

      > issue:

      >

      > Another work-around that is isolated to a single place is to use IE8's

      > "mutable DOM prototypes" support to patch HTMLInputElement. prototype. value

      > so that the bogus "" value is filtered out. For example:

      >

      > ...

      >

      > (function() {

      >

      > var builtInInputValue =

      > Object.getOwnProper tyDescriptor( HTMLInputElement .prototype, "value").get;

      >

      > Object.defineProper ty(HTMLInputElem ent.prototype, "value",

      >

      > { get: function() {

      >

      > var possiblyBad = builtInInputValue. call(this) ;

      >

      > return possiblyBad === "" ? "" : possiblyBad;

      >

      > }

      >

      > });

      >

      > })();

      >

      > ...

      >

      > A patch like this could be conditionally executed as part of the

      > initialization code of a framework.

      >

      >

      >



      [Non-text portions of this message have been removed]






















      [Non-text portions of this message have been removed]
    Your message has been successfully submitted and would be delivered to recipients shortly.