On 7/9/11 2:36 PM, Christian Grobmeier wrote:
- don't use javascript arrays to return as a json string
It really doesn't matter if it's an array or object, if it's valid json that the browser will attempt to execute it's vulnerable.
- don't use GET as your method
I believe that would protect your data from this script tag attack vector.
You mentioned to put everything into a js comment. This breaks the protocol definition and will cause jQuery to fail (and probably others).
If it's doing XHR, I'm certain you can insert a filter to make it work either way, but making the result configurable doesn't seem to be an unreasonable request. I still suggest that the default behavior is to protect users' data.
In addition a Struts json plugin should allow crossdomain ajax by default for POST only, GET should be enabled by user interaction.
The plugin doesn't care, it's the configuration that determines when you use the interceptor or result.
-Dale --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
