On Mar 12, 2008, at 11:55 AM, Matt Pitts wrote:
My argument is this: if you want to return sensitive data for an AJAX app doing so using eval-able JS or even pure JSON increases the risk that your data could be hijacked via cross-site attacks.
Like everything else it's only risky if you do it wrong. Always wrap it in {}. Enforce authn/authz; even the suggestion that you might not is horrific/ludicrous. Know what you're sending. Don't let users put code on your site in their data. All the usual suspects from there. -Ashley _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/