Are you sure it's vulnerable? If you return a JSON object, it is not vulnerable. JSON objects are only valid expressions, not statements, so they are simply an error when sourced with a script tag.
You are ONLY vulnerable if you [return, an, array] as the outer-most JSON object. -bob On 4/3/07, Paul Johnston <[EMAIL PROTECTED]> wrote: > Hi, > > The advisory is relevant to TurboGears, which returns JSON data. If you have > a JSON method that returns confidential data to a logged on user, a > malicious website could harvest this. It is not FUD - at least one site I've > developed was vulnerable. You could harvest the company's internal contact > list. > > A quick fix at the TG level would be to have JSON controllers only return > JSON for POST requests. > > Paul > > > > On 4/3/07, Bob Ippolito < [EMAIL PROTECTED]> wrote: > > > > Not really. That exploit only applies to people returning arrays from > > server-side stuff and has absolutely no implications whatsoever for > > client-side toolkits such as MochiKit. It's mostly FUD. > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to turbogears@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---