I *think* this is safe now, but we still need to check a few things:
- ProxyHandler, in the JS path (make sure it's outputting real json)
- Popular gadgets that were previously using _IG_Fetch* functions (
gmodules.com had the same behavior as we do today, so some gadget authors
may have been writing assuming this).
- Anywhere else that JSON is generated in the current code base.
On Mon, Feb 25, 2008 at 6:32 AM, Paul Lindner <[EMAIL PROTECTED]> wrote:
> With the latest set of code changes it appears that we can remove the
> file json.js in the javascript/container directory. The only thing
> using json.js is ifpc_relay.html, which I think we can adjust...
>
> On Thu, Feb 14, 2008 at 03:34:02PM -0500, Kevin Brown wrote:
> > The only difference is that we allow single quotes on strings --
> something
> > which is technically invalid JSON, but is secure.
> >
> > We're leaving this in for the short term in the interest of
> compatibility
> > with solutions that purely relied on eval, but we'll most likely remove
> it
> > in the future.
> >
> > On Thu, Feb 14, 2008 at 4:37 AM, Paul Lindner <[EMAIL PROTECTED]> wrote:
> >
> > > Hi,
> > >
> > > I just wasted a number of hours due to my copying
> > > features/core/json.js to javascript/container/json.js and adjusting it
> > > to support the gadgets.JSON and JSON prefixes.
> > >
> > > Turns out that on Firefox quotes were not getting stripped/evaluated
> > > properly which resulted in ifpc call breakage.
> > >
> > > For example ifpc calls for
> > >
> > > resize_iframe
> > >
> > > were instead trying to use
> > >
> > > "resize_iframe"
> > >
> > > All of the arguments had quotes surrounding them..
> > >
> > > The functional difference between the two json.js files is this:
> > >
> > > return !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
> > > - text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
> > > + text.replace
> (/("(\\.|[^"\\])*")|('(\\.|[^'\\])*')/g,
> > > ''))) &&
> > > eval('(' + text + ')');
> > >
> > >
> > > Why is this?
> > >
> > > Also, how does this implementation compare against the public domain
> > > json library here?
> > >
> > > http://www.json.org/json2.js
> > >
> > >
> > >
> >
> >
> >
>
> --
> Paul Lindner
> hi5 Architect
> [EMAIL PROTECTED]
>
--
~Kevin
If you received this email by mistake, please delete it, cancel your mail
account, destroy your hard drive, silence any witnesses, and burn down the
building that you're in.
