On Wed, Dec 16, 2009 at 09:40, Peter Schneider <p.schnei...@tis-gmbh.de>wrote:
> > Checking the received JSON message before parsing it is a good point in any > case, anyway. I'm not sure, but I think something like that can be found in > the > "contrib"... > No, that's already done when the response type is set to "application/json". The XmlHttp transport calls qx.util.Json.parse() which sanitizes the input before calling eval(). The sanitizing is done with a couple of regular expressions. I'd be perfectly happy if you'd look over those for any possible missing sanitizing, but I'm pretty certain they came from JSON.org and have been well peer-reviewed. (That's not to say that something hasn't possibly been missed...) if you specify a response type of "text/javascript" OTOH, than XmlHttp transport naively calls eval() so you'd better know what you're going to get back from the server if you specify that response type in your application. > In general, my reference to those questions is the book "JavaScript - The > Definitive Guide"[1] but still I was a bit uncertain. > That's the bible. I'm glad you're using it. :-) Derrell
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ qooxdoo-devel mailing list qooxdoo-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
