Sure in this regard, Firebug code looks to already filter JSON strings
before parsing it, so adding a filter if widely used may make sense.
Note that in your spring documentation, "{}&&" is a default prefix that may
be customized. Maybe the additional filter should be based on a
configurable list of prefix that would include "{}&&" by default
Le mercredi 3 septembre 2014 16:36:22 UTC+2, [email protected] a écrit :
>
> It's not really _a JSON_ standard, it's more of securing the JSON, as it
> says "The prefix renders the string syntactically invalid as a script so
> that it cannot be hijacked". IBM is also using this in some of its
> products. Support for it would be pretty simple. Just adding these lines:
> if (jsonString.length > 4 && jsonString.substring(0, 4) == "{}&&") {
> jsonString = jsonString.substring(4);
> }
> in
> https://github.com/firebug/firebug/blob/master/extension/content/firebug/lib/json.js
>
> line 24
>
> On Wednesday, September 3, 2014 4:26:11 PM UTC+3, Alexandre Morgaut wrote:
>>
>> A simple test on http://jsonlint.com shows an error
>>
>> {}&&["foo","bar,"baz"]
>>
>> =>
>>
>> Parse error on line 3:
>> { }&&[ "foo", "
>> ------^
>> Expecting 'EOF', '}', ',', ']'
>>
>>
>> Le mardi 2 septembre 2014 23:01:32 UTC+2, [email protected] a écrit :
>>>
>>>
>>> http://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.html#setPrefixJson-boolean-
>>>
>>> Yeah, its somewhat common standard.
>>>
>>> On Monday, September 1, 2014 9:43:35 PM UTC+3, Simon Lindholm wrote:
>>>>
>>>> We do some forms of such JSON prefix stripping, but not for {}&&. See
>>>> https://github.com/firebug/firebug/blob/master/extension/content/firebug/lib/json.js.
>>>>
>>>> Is "{}&&" a common standard?
>>>>
>>>> Den söndagen den 31:e augusti 2014 kl. 22:25:19 UTC+2 skrev
>>>> [email protected]:
>>>>>
>>>>> Prefixing the JSON string in this manner is used to help prevent JSON
>>>>> Hijacking. The prefix renders the string syntactically invalid as a
>>>>> script
>>>>> so that it cannot be hijacked. However firebug does not seem to be able
>>>>> to
>>>>> evaluate it as JSON neither because firebug isn't creating the JSON tab
>>>>> for
>>>>> these kind of responses. Is this a bug, a feature or a defect?
>>>>>
>>>>> Would it be possible that when the returned JSON has {}&& prefix it
>>>>> would work the same way like it doesn't have it, just cutting it out?
>>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"Firebug" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/firebug.
To view this discussion on the web visit
https://groups.google.com/d/msgid/firebug/c9423389-db4c-4482-90d6-e641b6f16d6c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
