These are mistakes we have already made in our old systems, let's not
repeat them
1) Please DO NOT use "{{{", it introduces SECURITY VULNERABILITIES,
Sajith,Rasika we need to introduce a new function. Don't even tell people
about "{{{"
in backend JS, Hemika should be able to do the following
toClent("fromBackend.protocols", protocols);
and in frontend, he should be able to just
console.log(fromBackend.protocols) and see the json
Given the cost of this kind of vulnerabilities, I don't think we should
even do this as a temp solution. We should safe stringify before sending,
view source of gmail and search "var GLOBALS" and you see how safe json
stringify works. ALL non-alpha-numeric has to be encoded with \x. Not just
" but things like < , which are normally considered safe in json, has to be
encoded [1].
2) We shouldn't manually iterating to convert to JSON. This just adds
unnecessary boilerplate work dev has to do. If we implement (1) we don't
need this for now. So we can discuss this later. But also see [2]
[1] see "JavaScript Encoding" in
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Output_Encoding_Rules_Summary
[2]
http://mail.openjdk.java.net/pipermail/nashorn-dev/2013-September/002013.html
On Fri, Jun 10, 2016 at 4:46 AM, Hemika Kodikara <[email protected]> wrote:
> Also please note that I used JSON.stringify method in server side js.
>
> Hemika Kodikara
> Software Engineer
> WSO2 Inc.
> lean . enterprise . middleware
> http://wso2.com
>
> Mobile : +94777688882
>
> On Fri, Jun 10, 2016 at 2:13 PM, Hemika Kodikara <[email protected]> wrote:
>
>> Thanks Rasika for the solution.
>>
>> In the client side JS, have the following code :
>>
>> <script type="text/javascript">
>> var protocols = *{{{protocols}}}*;
>> $.each(protocols, function(index, value) {
>>
>> $('#queue-subscription-protocols').append($('<option>').text(value).attr('value',
>> index));
>> });
>> </script>
>>
>> Have to use 3 curly braces.
>>
>> Regards,
>> Hemika
>>
>> Hemika Kodikara
>> Software Engineer
>> WSO2 Inc.
>> lean . enterprise . middleware
>> http://wso2.com
>>
>> Mobile : +94777688882
>>
>> On Fri, Jun 10, 2016 at 2:00 PM, Hemika Kodikara <[email protected]> wrote:
>>
>>> Hi Milinda,
>>>
>>> It is not a string array, its actually java objects that is there.
>>>
>>> Hi Sajith,
>>>
>>> I modified the nashorn script as following :
>>>
>>> var onRequest = function (context) {
>>> var protocols = callOSGiService("org.wso2.andes.kernel.Andes",
>>> "getSupportedProtocols", []);
>>> var protocolStrings = [];
>>> for each (var item in protocols) {
>>> protocolStrings.push(item.toString());
>>> }
>>>
>>> // var protocolsJson = JSON.stringify(protocolStrings);
>>> return {"protocols" : protocolStrings};
>>> };
>>>
>>> I am assigning the "protocols" json value to a javascript variable in
>>> the client-side as following :
>>>
>>> var protocols =* {{protocols}}*;
>>> $.each(protocols, function(index, value) {
>>>
>>> ('#queue-subscription-protocols').append($('<option>').text(value).attr('value',
>>> index));
>>> });
>>>
>>>
>>> But I am getting the following errors when rendered the page(client side
>>> js) :
>>>
>>> var protocols = [object Array]; <-- Syntax error
>>>
>>> When I use JSON.stringify in server side js, I get the following output
>>> :
>>>
>>> var protocols =
>>> ["AMQP-0-10","MQTT-default","AMQP-0-91","AMQP-8-0","AMQP-0-9"];
>>> <-- Unexpected token &
>>>
>>> Any Idea ?
>>>
>>> Regards,
>>> Hemika
>>>
>>>
>>> Hemika Kodikara
>>> Software Engineer
>>> WSO2 Inc.
>>> lean . enterprise . middleware
>>> http://wso2.com
>>>
>>> Mobile : +94777688882
>>>
>>> On Fri, Jun 10, 2016 at 12:51 PM, Milinda Perera <[email protected]>
>>> wrote:
>>>
>>>> Hi Hemika,
>>>>
>>>> If AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9 are strings,
>>>> following should work
>>>>
>>>> JSON.parse("[\"AMQP-0-10\", \"MQTT-default\", \"AMQP-0-91\",
>>>> \"AMQP-8-0\", \"AMQP-0-9\"]")
>>>>
>>>> Accroding to [1] within array " A *value* can be a *string* in double
>>>> quotes, or a *number*, or true or false or null, or an *object* or an
>>>> *array*. These structures can be nested."
>>>>
>>>> [1] http://www.json.org/
>>>>
>>>> Thanks,
>>>> Mili
>>>>
>>>> On Fri, Jun 10, 2016 at 12:33 PM, Hemika Kodikara <[email protected]>
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I am invoking the callOSGiService method in nashorn to get a list of
>>>>> protocols thats in andes of MB.
>>>>>
>>>>> I am getting the following output after invoking the callOSGiService :
>>>>> [AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]
>>>>>
>>>>> But need to convert it into a javascript array(Probably a String
>>>>> array). Need to bind it to a dropdown(select element).
>>>>>
>>>>> I tried JSON.parse, but getting the following errors :
>>>>>
>>>>> jjs> JSON.parse("[AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0,
>>>>> AMQP-0-9]");
>>>>> <shell>:1 SyntaxError: Invalid JSON: <json>:1:1 Expected json literal
>>>>> but found ident
>>>>> [AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]
>>>>> ^
>>>>>
>>>>> jjs> JSON.parse([AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0,
>>>>> AMQP-0-9]);
>>>>> ECMAScript Exception: SyntaxError: <shell>:1:28 Expected an operand
>>>>> but found default
>>>>> JSON.parse([AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]);
>>>>> ^
>>>>>
>>>>> My OSGi method returns a Set<ProtocolType>.
>>>>>
>>>>> How can I achieve this ?
>>>>>
>>>>> Regards,
>>>>> Hemika
>>>>>
>>>>> Hemika Kodikara
>>>>> Software Engineer
>>>>> WSO2 Inc.
>>>>> lean . enterprise . middleware
>>>>> http://wso2.com
>>>>>
>>>>> Mobile : +94777688882
>>>>>
>>>>> _______________________________________________
>>>>> Dev mailing list
>>>>> [email protected]
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Milinda Perera
>>>> Software Engineer;
>>>> WSO2 Inc. http://wso2.com ,
>>>> Mobile: (+94) 714 115 032
>>>>
>>>>
>>>
>>
>
--
With regards,
*Manu*ranga Perera.
phone : 071 7 70 20 50
mail : [email protected]
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
