On Mar 12, 2008, at 11:55 AM, Matt Pitts wrote:
My argument is this: if you want to return sensitive data for an AJAX
app doing so using eval-able JS or even pure JSON increases the risk
that your data could be hijacked via cross-site attacks.
Like everything else it's only risky if you do it wrong. Always wrap
it in {}. Enforce authn/authz; even the suggestion that you might
not is horrific/ludicrous. Know what you're sending. Don't let users
put code on your site in their data. All the usual suspects from there.
-Ashley
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
