> All I'm advocating for is valid JSON- I thought that was the Core team's > position now as well, since they finally addressed the key-quoting issue > in http://dev.rubyonrails.org/changeset/7697 > > Am I wrong about that?
No, you're not wrong. All I'm looking for is for people to report that the change does still address the XSS vulnerability when they +1 the ticket. The change seems perfectly reasonable, but the vulnerability was the result of the browsers' liberal parsing algorithms doing things which still seem unreasonable to me, who knows if this change still fixes it? We don't need more talk of validity or spec compliance, we need reports about browser behaviour from multiple different platforms and browsers. The secunia guys have an advisory about this particular issue, I suppose they'll be able to let you know if the change still triggers their test script. If we can be comfortable we're not introduce a security regression, then we can down to the talk about how we encode those values, whether it's sane to assume utf-8 encoded strings, and all that other good stuff :) -- Cheers Koz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
