On 7/10/11 4:34 AM, Christian Grobmeier wrote:
Maybe there are other exploits, but only know what you sent as links. And those are saying you need a JSON array because JSON objects are not valid js statements.
You clearly didn't read all the links I included, or do your own search as I suggested. The following statements are from another page in that short list of links I included:
"Yesterday, I blogged about how to steal data from JSON by overriding the Array constructor. Today, we break into Objects too."
... "So now you can steal data from any JSON object"
I just checked: http://api.jquery.com/jQuery.ajax/ jQuery does XHR (wrapped in jqXHR object), but I would not have a clue how I could remove that comments.
Then maybe you should find a clue. JavaScript is an incredibly dynamic language.
It is a more philosphical debatte.
Agreed. The core of the debate are who are the "users" that we as framework developers should be protecting. I claim that they are the people using the applications built using the framework, not the people developing those applications. You are free to develop insecure tools for those users using this framework if you so choose, but I want you to have to make a concrete decision to do so. Your statement "If I care, I can always read the security docs of Struts." illustrates that there are plenty of developers that won't bother to read the docs unless something isn't working as they expect, and therefore if we default to an insecure mechanism, their users' data will be insecure and they won't know anything about it, and at the end of the day the framework will get blamed for it.
you should write a page about it
I will not claim that the documentation of this "feature" exists or is clear, but that is a separate question than that of how it should behave. Struts is an open source project. If you think there should be a page that doesn't yet exist, please write it and contribute it.
Is the configuration "POST" or "GET" by default?
The configuration of your struts.xml which specifies the interceptors and result types that your actions will use does not by default include json. If you want to add in those interceptors or results, you should learn how they work, and configure them appropriately.
-Dale --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
