When I make an ajax request using xhr and specify the handleAs property as json or json-comment-filtered is the incoming JSON data parsed to remove any embedded code? Or do I need to use a JSON parser like that found at http://www.json.org/json.js?
Just wondering.
dojo.fromJson(), which is
dojo.fromJson(), which is used by the dojo.xhr JSON handling, just uses eval() on the JSON. It does not do any other processing of the JSON string.
it's as secure as your JSON is well-formed
...and insecure as your JSON parser is bad. My best security advice here is:
- always use a JSON encoder and don't construct strings by hand
- use JSON comment filtering or the "while(1)" technique in conjunction with forms of authentication *other* than cookies when handling sensitive data via JSON
Regards