I think this feature might be better to add as a library. I'm working on a patch for Mozilla that provides a native JSON implementation like so: |new JSON()|. I had been basing the API on Bob's python simplejson API, but it looks like Google Caja did something similar in JS, so I might go with their method and argument names instead. It's pretty much the same otherwise.
<http://google-caja.googlecode.com/svn/trunk/src/js/com/google/caja/safe-json.js> Note that Caja's implementation of JSON.serialize makes exactly the same changes that have been proposed (and greeted with silence) here... For json.js, other objects can provide their own implementation of toJSONString(), in which case JSON serialization relies on these objects to return a correct JSON string. If an object instead returns an unbalanced part of a JSON string and another object returns a compensating unbalanced string, then an outer toJSONString() can produce quoting confusions that invite XSS-like attacks. The primary purpose of safe-json.js is to prevent such attacks. -- Robert Sayre "I would have written a shorter letter, but I did not have the time." _______________________________________________ Es4-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es4-discuss
