[jira] Commented: (SOLR-56) PATCH: JSONResponseWriter JSON result wrapper function

Wed, 18 Oct 2006 13:13:35 -0700 

    [ 
http://issues.apache.org/jira/browse/SOLR-56?page=comments#action_12443352 ] 
            
Bertrand Delacretaz commented on SOLR-56:
-----------------------------------------

I though json.wrf was more in line with Solr's usual terseness in parameter 
names ;-)

And callback does not mean much in that context, I think wrapper function is 
more precise, it is what this actually does.

> PATCH: JSONResponseWriter JSON result wrapper function
> ------------------------------------------------------
>
>                 Key: SOLR-56
>                 URL: http://issues.apache.org/jira/browse/SOLR-56
>             Project: Solr
>          Issue Type: Improvement
>          Components: search
>         Environment: Tested on macosx 10.4.8, JDK 1.5
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>         Attachments: JSONResponseWriter.wrf.patch
>
>
> This patch adds a "json.wrf" parameter to add a wrapper function around the 
> JSON results, for example:
>   json.wrf = eatJason
>   search result = eatJason({"header":{"qtime":0},...}))
> The result set is sent as a parameter to eatJason instead of being sent as a 
> plain data structure.
> This is useful to work around the cross-site limitations of JSON, when a 
> client uses code like
>   var head = document.getElementsByTagName("head")[0];
>   script = document.createElement('script');
>   script.id = 'uploadScript';
>   script.type = 'text/javascript';
>   script.src = 
> "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";;
>   head.appendChild(script)
>   function eatJason(obj){
>      ...process obj which is Solr's JSON result
>   }                           
> However, I'm no javascript expert, and passing an arbitrary javascript 
> function name in the request parameters feels a bit weird...wondering if this 
> might enable some cross-site scripting scenarios?
> But the technique is well-known apparently, see:
>   http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
> and 
>   http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to