I'll quote what I said in the $.ajax "auto" discussion (see last 2 paragraphs especially):
> > There's something significant behind the buzz, though. I really don't > want > > to read the announcement: "ATTN everyone using jQuery.ajax(). If you're > > going to update your library or if you're linking to the latest on google > > > and it's updated FOR you without your knowledge, you MUST first go > through > > all of your existing code and explicitly choose a dataType. This is > because > > we have changed dataType's default behavior which now makes it possible > > that javascript could be eval'd undesirably. Also, if you depended upon > an > > xml/html only guess in your app design, well then I guess you're out of > > luck for now." > > > Obviously I'm no good at writing announcements but this is the gist of > why > > we need a new setting to allow guess-anything/auto-detect or whatever we > > call it. > > Well, let's take the original request here: it was about having ajax > automatically fetch json data using the content-type header. Letting the > server decide whether javascript code should be executed or not client-side > > is wrong no matter how you look at it. It should be a conscious decision > from the developpers (just like it is when dealing with <script /> embedded > > into html or jsonp requests). So I'm clearly against auto-fetching scripts > (sorry that I totally forgot to say so earlier). > > Now we're left with pure json which is evald if there is no native JSON > object client-side. Wouldn't it be feasible to regexp test the string > before > evaluation to avoid malicious code in that case? If so, there is strictly > no > reason not to allow auto-fetching feature for json dataType. > For instance, > http://code.google.com/p/jquery-json/<http://www.google.com/url?sa=D&q=http://code.google.com/p/jquery-json/&usg=AFQjCNHIKA7wJE2WbG13mttBaNN5rfBhyA>provides > a > secureEvalJSON method that makes some tests before evaluating the string > expression. Seems to me like a good way to start. > btw, I also saw you landed an auto-fetching for script (FYI, I "synchronized" the rewrite with latest changes, including javascript auto-execution) but I believe it is just plain wrong to let the server decide of what should be executed client-side (especially with cross-domain xhr getting more widespread). Protected JSON decoding is fine by me but javascript silently getting executed seems like a hell of a hole. I hope I'm not derailing this conversation too much... and happy new year to both of you :) 2010/1/7 John Resig <jere...@gmail.com> > We already support non-standard JSON strings since that's what we've > always supported. We do so by putting a try/catch around the > JSON.parse and falling back to the new Function technique, if an > exception is thrown. > > Fundamentally though, using JSON.parse is faster and safer (although, > if we use the fallback technique then 'safer' is kind of going out the > window in favor of "supporting more edge cases"). > > --John > > > > On Thu, Jan 7, 2010 at 9:00 AM, DBJDBJ <dbj...@gmail.com> wrote: > > Sensible approach. But how is the following issue of using "non > > standard" JSON strings solved : > > > > IE8: JSON.parse("{ 'a':1 }") ---> Syntax Error > > CHROME: JSON.parse("{ 'a':1 }") ---> OK > > FF: JSON.parse("{ 'a':1 }") ---> Syntax Error > > OPERA 10.10: JSON.parse("{ 'a':1 }") ---> Undefined variable JSON > > SAFARI 4.0.4: JSON.parse("{ 'a':1 }") ---> Syntax Error > > > > I suppose John will reply : "...we do not support non standard > > usage ... " > > And then I might reply : but CHROME does ? > > Ad infinitum ... > > > > Instead I suggest a more productive approach. I suggest JSON.parse not > > to be used. (shock?horror!) > > The good old Function() just works. Even in IE8 : > > > > var data = "{ 'a':1 }" ; // or the proper syntax '{ "a" : 1 }' > > data = (new Function("return " + data))(); > > > > Above works in each browser, regardless of the fact that "{ 'a':1 }", > > is not a proper JSON syntax. Including IE8, FF and SAFARI where > > JSON.parse("{'a':1}") throws error. > > Above also works in browsers which have no JSON as a native object, of > > course. > > A true "cross browser" solution, indeed. It will even lead to a > > slightly faster jQuery since one try/catch combo will be removed > > (currently in ajax.js, arround line 583) > > > > Now, one might ask why should jQuery 1.4 support "non-standard" JSON > > strings? > > For the same reasons CHROME does, is my answer to that. > > > > Thanks for reading ... DBJ > > > > > > > > On Jan 6, 2:16 pm, John Resig <jere...@gmail.com> wrote: > >> How are you hitting this issue in jQuery? jQuery never uses > >> JSON.stringify, only JSON.parse. > >> > >> We don't really like overwriting native methods - especially ones that > >> we don't use - to fix bugs. > >> > >> --John > >> > >> > >> > >> On Wed, Jan 6, 2010 at 12:46 AM, Leeoniya <leeon...@gmail.com> wrote: > >> > for some reason my github commit comments are not showing up except in > >> > the RSS feed...so re-posting here. > >> > >> > Comment in ff3645e: > >> > >> > i've run into a known IE8 issue in the past with its native parser's > >> > inability to serialize empty values of DOM elements. > >> > >> > details here:http://tinyurl.com/m2j294 > >> > >> > just a heads up, > >> > Leon > >> > >> > -- > >> > You received this message because you are subscribed to the Google > Groups "jQuery Development" group. > >> > To post to this group, send email to jquery-...@googlegroups.com. > >> > To unsubscribe from this group, send email to > jquery-dev+unsubscr...@googlegroups.com<jquery-dev%2bunsubscr...@googlegroups.com> > . > >> > For more options, visit this group athttp:// > groups.google.com/group/jquery-dev?hl=en. > > > > -- > > You received this message because you are subscribed to the Google Groups > "jQuery Development" group. > > To post to this group, send email to jquery-...@googlegroups.com. > > To unsubscribe from this group, send email to > jquery-dev+unsubscr...@googlegroups.com<jquery-dev%2bunsubscr...@googlegroups.com> > . > > For more options, visit this group at > http://groups.google.com/group/jquery-dev?hl=en. > > > > > > > > > > -- > You received this message because you are subscribed to the Google Groups > "jQuery Development" group. > To post to this group, send email to jquery-...@googlegroups.com. > To unsubscribe from this group, send email to > jquery-dev+unsubscr...@googlegroups.com<jquery-dev%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/jquery-dev?hl=en. > > > >--
You received this message because you are subscribed to the Google Groups "jQuery Development" group.
To post to this group, send email to jquery-...@googlegroups.com.
To unsubscribe from this group, send email to jquery-dev+unsubscr...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/jquery-dev?hl=en.
