On 4/3/07, Fred C <[EMAIL PROTECTED]> wrote: > > > On Apr 3, 2007, at 12:10 PM, Bob Ippolito wrote: > > > > > Are you sure it's vulnerable? If you return a JSON object, it is not > > vulnerable. JSON objects are only valid expressions, not statements, > > so they are simply an error when sourced with a script tag. > > > > You are ONLY vulnerable if you [return, an, array] as the outer-most > > JSON object. > > Are not all JSON objects associative arrays ? >
Arrays in JavaScript are not (used as) associative arrays, they are arrays. That's irrelevant though, this is a syntax issue. Some syntax is exploitable, and other syntax is not. -bob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
