Re: [Catalyst] implementing ajax

[Moritz Onken]

For security reasons you should consider to return json only if the  
request is an xmlhttprequest.
I added

$c->forward( $c->view("JSON") )
          if ( $c->req->header("X-Requested-With") eq "XMLHttpRequest" );
to my end method. If someone tries to get the json data directly he  
gets an error or an other template.
I don't know if YUI adds this specific header to each json request but  
it should.
This is not enough to make you json data bullet proof, but a good step  
in the right direction. I suggest <http://en.wikipedia.org/wiki/Cross-site_request_forgery 
> and <http://www.gnucitizen.org/blog/csrf-demystified/> as a lecture.

regards,

moritz


Am 12.03.2008 um 14:47 schrieb Matt Pitts:

I'm going to have to be the red-headed stepchild that advocates XML...

-----Original Message-----
From: Mesdaq, Ali [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 11, 2008 5:19 PM
To: The elegant MVC web framework
Subject: RE: [Catalyst] implementing ajax

Jennifer,

Are you sure you want to stick with this route? Looks like your going
to
make a lot of work for yourself. I would hate to see the js code to
make
xml. Use the js code to just post the values you want read those
values

I can't speak too much on the generation of XML on the client, but I  
do
advocate the use of POST rather than uploading an XML body. Most of  
the
popular JS toolkits make this quite easy.

Why would you want to use JSON? Because javascript can just read it
straight in and you can use it without having to parse anything. Your
js
would just eval the returned json content and use it. If you return
xml
you will need to parse it out and just makes a lot of work.

The main reason against JSON for me is security. Something that can be
eval'd is very dangerous and I'm sure we're all aware of the cross- 
site
vulnerabilities that take advantage of JSON returned data. The one  
thing
that's always mentioned as total failsafe against it is to *not* use
JSON as your returned data structure.

As far as parsing the XML, that's why I use ExtJS. I can define a  
Store
and use XPath to map Record fields to my XML data - ExtJS does the  
rest.
It's a bit like having a Model of my data on the client side.

Just my 2 cents.

v/r
-matt pitts

_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/