Comment #12 on issue 978 by erights: Raw JSON creates vulnerability. Needs
wrapping
http://code.google.com/p/google-caja/issues/detail?id=978
Now that the vulnerability has been patched, so that we can talk about the
bug
publicly, we can now openly discuss what the right way to fix this is.
Responding to previous comments by Ihab and Mike Samuel about
postprocessing:
As the original bug report says
Given the way the JSON APIs use the reviver and replacer APIs, we should
be
able wrap the real JSON with a wrapper that conjoins our sanitizing
replacer/reviver with any supplied by the user.
However, our current implementation of JSON.parse omits the reviver
parameter. So
long as the reviver is omitted, it is fine to wait until a JSON parse
completes to
post process with something like initializeMap. But once we support the
ES3.1 JSON
API (i.e., approximately the json2.js API), then we need to do our
postprocessing
before any user-provided reviver is run.
On platforms implementing the ES3.1 JSON directly, can have the built in
JSON
implementation do all this interleaved with parsing, in one pass. To do so,
we'd
provide a tamedJSON whose parse wraps the user-provided reviver in one that
first
applies our own postprocess before invoking the user provided reviver.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
