Looks good to me.
- Dash -
Stephan Ellis wrote:
> OK, so I went over the code, and it appears that as long as the X-JSON
> header does not exist and my Content-type is application/javascript and my
> json in the response body is wrapped with:
>
> /*-secure- (some whitespace) [json data here](some more whitespace) */
>
> It should evaluated the response body. Am I wrong?
>
> -stephan
>
> On 5/21/07, David Dashifen Kees <[EMAIL PROTECTED]> wrote:
>
>> Wow ... I didn't know that about the content-type of the response body.
>> Thanks.
>> - Dash -
>>
>> Tom Gregory wrote:
>>
>>> The value of the X-JSON header and whether the response body is
>>> evaluated are separate concerns. If the X-JSON header is present, and
>>> evals to a json object, it's passed as the second parameter to
>>> onSuccess, et al.
>>>
>>> e.x.
>>> onSuccess (transport, json) {
>>> // ...
>>> }
>>>
>>> The eval of the response body is based on the "Content-type" header.
>>> If you poke around the code from svn, you'll find these lines in
>>> ajax.js:
>>>
>>> var contentType = this.getHeader('Content-type');
>>> if (contentType && contentType.strip().
>>> match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i))
>>> this.evalResponse();
>>> // ...
>>>
>>> // ...
>>> evalResponse: function() {
>>> try {
>>> return eval((this.transport.responseText || '').unfilterJSON());
>>> } catch (e) {
>>> this.dispatchException(e);
>>> }
>>> }
>>>
>>> Does that make things any clearer?
>>>
>>>
>>> TAG
>>>
>>> On May 21, 2007, at 12:38 PM, Stephan Ellis wrote:
>>>
>>>
>>>
>>>> Yes, my framework, specifically my view that generates JSON sticks
>>>> the X-JSON header in to accommodate prototype. I guess to rephrase
>>>> my question, if I turn on the X-JSON header, is it supposed to
>>>> automatically eval the response body? Sorry if I seem like I have
>>>> a thick skull :) Thanks a bunch...
>>>> -stephan
>>>>
>>>> On 5/21/07, David Dashifen Kees <[EMAIL PROTECTED]> wrote:
>>>>
>>>> Yes. If your JSON is in the response body, you will have to
>>>> evaluate it
>>>> yourself. It must be the framework you're using which is creating the
>>>> X-JSON header, perhaps? For example:
>>>>
>>>> new Ajax.Request("some_page.php", {
>>>> parameters: {id: 6},
>>>> onComplete: function(xhr) {
>>>> var json = xhr.responseText.evalJSON(true);
>>>> /* ... do something else ... */
>>>> }
>>>> });
>>>>
>>>> You're responseText should then be valid JSON. For more information,
>>>> see http://prototypejs.org/api/string/evaljson.
>>>>
>>>> - Dash -
>>>>
>>>> Stephan Ellis wrote:
>>>>
>>>>
>>>>> Dash,
>>>>> Thanks for the reply. Are you saying that I have to evaluate the
>>>>> reponseText myself if the JSON is in the response body? I
>>>>>
>>>>>
>>>> configured my
>>>>
>>>>
>>>>> application to not send the X-JSON header, but prototype is still
>>>>>
>>>>>
>>>> not
>>>>
>>>>
>>>>> evaluating the response body.
>>>>>
>>>>> Thanks,
>>>>> -stephan
>>>>>
>>>>> On 5/21/07, David Dashifen Kees <[EMAIL PROTECTED]> wrote:
>>>>>
>>>>>
>>>>>
>>>>>> The problem is how you're sending information in the X-JSON header.
>>>>>> Prototype will try to automatically evaluate anything in the X-JSON
>>>>>> header assuming that it is a JSON string. You're X-JSON header
>>>>>>
>>>>>>
>>>> is not a
>>>>
>>>>
>>>>>> JSON string but rather another call to eval() so the internal
>>>>>>
>>>>>>
>>>> Prototype
>>>>
>>>>
>>>>>> String.evalJSON() function is probably your failure point.
>>>>>>
>>>>>> Instead, either make "var json = transport.responseText.evalJSON
>>>>>>
>>>>>>
>>>> (true)"
>>>>
>>>>
>>>>>> the first line of your callback function, or make sure that your
>>>>>>
>>>>>>
>>>> X-JSON
>>>>
>>>>
>>>>>> header is *only* a JSON string.
>>>>>>
>>>>>> Also, you should be aware that Prototype 1.5.1 added security
>>>>>>
>>>>>>
>>>> features
>>>>
>>>>
>>>>>> to help avoid the execution of JSON with invalid code or
>>>>>>
>>>>>>
>>>> malicious code
>>>>
>>>>
>>>>>> within it. As a result, JSON created and passed around by
>>>>>>
>>>>>>
>>>> prototype has
>>>>
>>>>
>>>>>> /*-secure- before your JSON and */ after it. If you use the
>>>>>> String.evalJSON() function to parse your information, you might
>>>>>>
>>>>>>
>>>> need to
>>>>
>>>>
>>>>>> explicitly add these strings before and after your JSON to
>>>>>>
>>>>>>
>>>> evaluate it
>>>>
>>>>
>>>>>> properly.
>>>>>>
>>>>>> - Dash -
>>>>>>
>>>>>> smellis wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hello Everyone,
>>>>>>>
>>>>>>> I upgraded to 1.5.1 today and I have run into a problem:
>>>>>>>
>>>>>>>
>>>> automatic
>>>>
>>>>
>>>>>>> JSON evaluation has stopped working. On the server side I use
>>>>>>> Catalyst, an MVC framework for perl. I use
>>>>>>>
>>>>>>>
>>>> Catalyst::View::JSON to
>>>>
>>>>
>>>>>>> turn my perl data structures in to JSON. Here is what my response
>>>>>>> headers look like:
>>>>>>>
>>>>>>> Response Headers
>>>>>>> Connection close
>>>>>>> Date Mon, 21 May 2007 15:12:54 GMT
>>>>>>> Content-Length 984
>>>>>>> Content-Type application/javascript; charset=utf-8
>>>>>>> Set-Cookie
>>>>>>>
>>>>>>>
>>>> bg2_session=5279b9253f970f84dd032ec4a00ba2a34dcff66c;
>>>>
>>>>
>>>>>>> path=/; expires=Mon, 21-May-2007 17:12:54 GMT
>>>>>>> Status 200
>>>>>>> X-Catalyst 5.7007
>>>>>>> X-JSON eval("("+this.transport.responseText+")")
>>>>>>>
>>>>>>> The JSON is actually in the response body. I had to subclassed my
>>>>>>> JSON view to spit out application/javascript, because the default
>>>>>>> content-type (application/json) is not listed in the prototype
>>>>>>> documentation as one that will cause prototype to auto evaluate
>>>>>>>
>>>>>>>
>>>> the
>>>>
>>>>
>>>>>>> reponse. I have tried turning off the X-JSON header to see if
>>>>>>>
>>>>>>>
>>>> that
>>>>
>>>>
>>>>>>> was a problem, but it still doesn't work. Any ideas? Thanks in
>>>>>>> advance. -stephan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>
>>>
>
> >
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Spinoffs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---
