+1 for not using "{{{".
We will further check on adding such patterns ("{{{ * }}}") in planned
Jenkins based automated security scans (static code analysis).
On Fri, Jun 10, 2016 at 8:47 PM, SajithAR Ariyarathna <[email protected]>
wrote:
> +1 for abandoning "{{{"
>
> toClent("fromBackend.protocols", protocols);
>
> We can implement this in the next milestone.
>
> On Fri, Jun 10, 2016 at 8:12 PM, Manuranga Perera <[email protected]> wrote:
>
>> These are mistakes we have already made in our old systems, let's not
>> repeat them
>>
>> 1) Please DO NOT use "{{{", it introduces SECURITY VULNERABILITIES,
>> Sajith,Rasika we need to introduce a new function. Don't even tell people
>> about "{{{"
>> in backend JS, Hemika should be able to do the following
>>
>> toClent("fromBackend.protocols", protocols);
>>
>> and in frontend, he should be able to just
>> console.log(fromBackend.protocols) and see the json
>> Given the cost of this kind of vulnerabilities, I don't think we should
>> even do this as a temp solution. We should safe stringify before sending,
>> view source of gmail and search "var GLOBALS" and you see how safe json
>> stringify works. ALL non-alpha-numeric has to be encoded with \x. Not just
>> " but things like < , which are normally considered safe in json, has to be
>> encoded [1].
>>
>> 2) We shouldn't manually iterating to convert to JSON. This just adds
>> unnecessary boilerplate work dev has to do. If we implement (1) we don't
>> need this for now. So we can discuss this later. But also see [2]
>>
>> [1] see "JavaScript Encoding" in
>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Output_Encoding_Rules_Summary
>> [2]
>> http://mail.openjdk.java.net/pipermail/nashorn-dev/2013-September/002013.html
>>
>> On Fri, Jun 10, 2016 at 4:46 AM, Hemika Kodikara <[email protected]> wrote:
>>
>>> Also please note that I used JSON.stringify method in server side js.
>>>
>>> Hemika Kodikara
>>> Software Engineer
>>> WSO2 Inc.
>>> lean . enterprise . middleware
>>> http://wso2.com
>>>
>>> Mobile : +94777688882
>>>
>>> On Fri, Jun 10, 2016 at 2:13 PM, Hemika Kodikara <[email protected]>
>>> wrote:
>>>
>>>> Thanks Rasika for the solution.
>>>>
>>>> In the client side JS, have the following code :
>>>>
>>>> <script type="text/javascript">
>>>> var protocols = *{{{protocols}}}*;
>>>> $.each(protocols, function(index, value) {
>>>>
>>>> $('#queue-subscription-protocols').append($('<option>').text(value).attr('value',
>>>> index));
>>>> });
>>>> </script>
>>>>
>>>> Have to use 3 curly braces.
>>>>
>>>> Regards,
>>>> Hemika
>>>>
>>>> Hemika Kodikara
>>>> Software Engineer
>>>> WSO2 Inc.
>>>> lean . enterprise . middleware
>>>> http://wso2.com
>>>>
>>>> Mobile : +94777688882
>>>>
>>>> On Fri, Jun 10, 2016 at 2:00 PM, Hemika Kodikara <[email protected]>
>>>> wrote:
>>>>
>>>>> Hi Milinda,
>>>>>
>>>>> It is not a string array, its actually java objects that is there.
>>>>>
>>>>> Hi Sajith,
>>>>>
>>>>> I modified the nashorn script as following :
>>>>>
>>>>> var onRequest = function (context) {
>>>>> var protocols = callOSGiService("org.wso2.andes.kernel.Andes",
>>>>> "getSupportedProtocols", []);
>>>>> var protocolStrings = [];
>>>>> for each (var item in protocols) {
>>>>> protocolStrings.push(item.toString());
>>>>> }
>>>>>
>>>>> // var protocolsJson = JSON.stringify(protocolStrings);
>>>>> return {"protocols" : protocolStrings};
>>>>> };
>>>>>
>>>>> I am assigning the "protocols" json value to a javascript variable in
>>>>> the client-side as following :
>>>>>
>>>>> var protocols =* {{protocols}}*;
>>>>> $.each(protocols, function(index, value) {
>>>>>
>>>>> ('#queue-subscription-protocols').append($('<option>').text(value).attr('value',
>>>>> index));
>>>>> });
>>>>>
>>>>>
>>>>> But I am getting the following errors when rendered the page(client
>>>>> side js) :
>>>>>
>>>>> var protocols = [object Array]; <-- Syntax error
>>>>>
>>>>> When I use JSON.stringify in server side js, I get the following
>>>>> output :
>>>>>
>>>>> var protocols =
>>>>> ["AMQP-0-10","MQTT-default","AMQP-0-91","AMQP-8-0","AMQP-0-9"];
>>>>> <-- Unexpected token &
>>>>>
>>>>> Any Idea ?
>>>>>
>>>>> Regards,
>>>>> Hemika
>>>>>
>>>>>
>>>>> Hemika Kodikara
>>>>> Software Engineer
>>>>> WSO2 Inc.
>>>>> lean . enterprise . middleware
>>>>> http://wso2.com
>>>>>
>>>>> Mobile : +94777688882
>>>>>
>>>>> On Fri, Jun 10, 2016 at 12:51 PM, Milinda Perera <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Hi Hemika,
>>>>>>
>>>>>> If AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9 are
>>>>>> strings, following should work
>>>>>>
>>>>>> JSON.parse("[\"AMQP-0-10\", \"MQTT-default\", \"AMQP-0-91\",
>>>>>> \"AMQP-8-0\", \"AMQP-0-9\"]")
>>>>>>
>>>>>> Accroding to [1] within array " A *value* can be a *string* in
>>>>>> double quotes, or a *number*, or true or false or null, or an
>>>>>> *object* or an *array*. These structures can be nested."
>>>>>>
>>>>>> [1] http://www.json.org/
>>>>>>
>>>>>> Thanks,
>>>>>> Mili
>>>>>>
>>>>>> On Fri, Jun 10, 2016 at 12:33 PM, Hemika Kodikara <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I am invoking the callOSGiService method in nashorn to get a list of
>>>>>>> protocols thats in andes of MB.
>>>>>>>
>>>>>>> I am getting the following output after invoking the callOSGiService
>>>>>>> :
>>>>>>> [AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]
>>>>>>>
>>>>>>> But need to convert it into a javascript array(Probably a String
>>>>>>> array). Need to bind it to a dropdown(select element).
>>>>>>>
>>>>>>> I tried JSON.parse, but getting the following errors :
>>>>>>>
>>>>>>> jjs> JSON.parse("[AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0,
>>>>>>> AMQP-0-9]");
>>>>>>> <shell>:1 SyntaxError: Invalid JSON: <json>:1:1 Expected json
>>>>>>> literal but found ident
>>>>>>> [AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]
>>>>>>> ^
>>>>>>>
>>>>>>> jjs> JSON.parse([AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0,
>>>>>>> AMQP-0-9]);
>>>>>>> ECMAScript Exception: SyntaxError: <shell>:1:28 Expected an operand
>>>>>>> but found default
>>>>>>> JSON.parse([AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]);
>>>>>>> ^
>>>>>>>
>>>>>>> My OSGi method returns a Set<ProtocolType>.
>>>>>>>
>>>>>>> How can I achieve this ?
>>>>>>>
>>>>>>> Regards,
>>>>>>> Hemika
>>>>>>>
>>>>>>> Hemika Kodikara
>>>>>>> Software Engineer
>>>>>>> WSO2 Inc.
>>>>>>> lean . enterprise . middleware
>>>>>>> http://wso2.com
>>>>>>>
>>>>>>> Mobile : +94777688882
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Dev mailing list
>>>>>>> [email protected]
>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Milinda Perera
>>>>>> Software Engineer;
>>>>>> WSO2 Inc. http://wso2.com ,
>>>>>> Mobile: (+94) 714 115 032
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> With regards,
>> *Manu*ranga Perera.
>>
>> phone : 071 7 70 20 50
>> mail : [email protected]
>>
>
>
>
> --
> Sajith Janaprasad Ariyarathna
> Software Engineer; WSO2, Inc.; http://wso2.com/
>
--
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware
Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
