|
List Info
Thread: Re: About X-JSON header and evil things... ;)
|
|
| Re: About X-JSON header and evil
things... ;) |
|
2007-01-25 10:02:46 |
|
Is the sanitize step necessary? What would the performance hit be like
on a large response, and is the added complexity worth the trouble
considering all responses come from a controlled environment? You don't
sanitize HTML or XML responses, I say just use eval inside a try/catch.
Thanks,
Colin
tobie wrote:
> Patch: http://dev.rubyonrails.org/ticket/7295
>
> and live tests:
> http://sandbox.tobielangel.com/prototype/rev_6028/trunk/test/unit/string.html
> http://sandbox.tobielangel.com/prototype/rev_6028/trunk/test/unit/ajax.html
>
> I'm having issues in IE (don't know if its the actual code or the
> testing that is causing the problem).
>
> The JSON sanitazing regex is taken from http://www.json.org/json.js
> with permission from Douglas Crockford.
>
> Would like to get as much feedback as possible so we can make it really
> bulletproof.
>
> Thanks,
>
> Tobie
>
>
> >
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group.
To post to this group, send email to rubyonrails-spinoffs googlegroups.com
To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---
|
| Re: About X-JSON header and evil
things... ;) |
|
2007-01-25 10:03:38 |
|
|
Colin Mollenhour wrote:
> Is the sanitize step necessary? What would the performance hit be like
> on a large response, and is the added complexity worth the trouble
> considering all responses come from a controlled environment? You don't
> sanitize HTML or XML responses, I say just use eval inside a try/catch.
I agree. And in case the data can't be trusted then provide an optional
parameter signifying that it needs to be cleaned first.
--
Michael Peters
Developer
Plus Three, LP
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group.
To post to this group, send email to rubyonrails-spinoffsgooglegroups.com
To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---
|
| Re: About X-JSON header and evil
things... ;) |
|
2007-01-25 11:18:02 |
|
|
Colin, Michael, sanitizeJSON is an option and is off by default.
If is data created by a user, you better sanitize it.
The performance hit isn't that bad really.
Tobie
On Jan 25, 11:02 am, Colin Mollenhour mollenhour.com>
wrote:
> Is the sanitize step necessary? What would the performance hit be like
> on a large response, and is the added complexity worth the trouble
> considering all responses come from a controlled environment? You don't
> sanitize HTML or XML responses, I say just use eval inside a try/catch.
>
> Thanks,
> Colin
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group.
To post to this group, send email to rubyonrails-spinoffsgooglegroups.com
To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---
|
[1-3]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|