#12871 closed enhancement (wontfix)
Provide an option "strictJSON"
Reported by: | lazaridis_com | Owned by: | |
---|---|---|---|
Priority: | high | Milestone: | tbd |
Component: | Core | Version: | |
Keywords: | Cc: | ||
Blocked By: | Blocking: |
Description
(severity "critical", as it affects security)
Provide an config option like "strictJSON" that ensures that the toolkit accepts only valid JSON format.
This could be introduced with a default-value "off" (does not alter behavior), and the same time it's announced the in a later version it will go to default to "on".
A clear text error message could avoid frustration:
"It seems you are not using valid json format. Please refer to http://www.json.org/. If you cannot alter the format, you can set the configuration option "strictJSON" to false, in order to accept non-valid JSON data"
Related discussion:
http://dojo-toolkit.33424.n3.nabble.com/Dojo-usage-of-non-standard-JSON-Format-td2878366.html
Change History (12)
comment:1 Changed 10 years ago by
Component: | Data → Core |
---|---|
Owner: | Jared Jurkiewicz deleted |
severity: | critical → normal |
comment:3 Changed 9 years ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Yah, I think we can close this since it's supported with the dojo/json module, and before that with dojox.secure.fromJson.
comment:4 Changed 9 years ago by
So is this a "wontfix" or is this a "worksforme" in 2.0 ;
I mean, does dojo now treat JSON strictly (as it should, because otherwise it's a bug)?
Please clarify, and correct the "wontfix" (or reopen the ticket).
comment:5 Changed 9 years ago by
does dojo now treat JSON strictly?
Your question is rather vague. As I said, dojo/json treats JSON strictly.
comment:6 Changed 9 years ago by
nothing missleading at all, just switch out to a user context:
was: dojo allowed non-standard JSON
is: ?
If solved, then the issue is fixed, and thus the wontfix resolution is wrong and misleading.
comment:7 follow-up: 8 Changed 9 years ago by
Dojo is composed of many classes and methods. The newer methods demand strict JSON whereas the older code does not.
comment:8 Changed 9 years ago by
Replying to bill:
Dojo is composed of many classes and methods. The newer methods demand strict JSON whereas the older code does not.
Ok, this means that this issue is fixed (strict JSON is need by default in new version).
You should reopen the issue an close it as fixed to avoid missunderstandings.
comment:9 Changed 9 years ago by
I don't think so. The title of this ticket is ' Provide an option "strictJSON" '. There was no such option added. The description of this ticket is "Provide an config option like "strictJSON" that ensures that the toolkit accepts only valid JSON format.". That was not done. I am leaving this as "wontfix", to prevent misunderstandings.
comment:10 Changed 9 years ago by
So there's no switch/setting to set dojo to accept the non-standard format (backward compatibility)? If there is one, the the ticket is fixed.
If not, then the ticket should be closed as worksforme (as there is another way to solve the issue)
comment:11 Changed 9 years ago by
There's no switch/setting to set dojo to accept the non-standard format (backward compatibility). dojo/json.js, when used directly, has a similar switch, but it only affects old browsers without the builtin JSON object.
We use "worksforme" to indicate that we could not reproduce the problem, not that there is another way to solve the issue.
There already are / will be tools available for this, though I suppose not exactly what you're asking for (a global option to flip dojo.fromJson itself to strict) - though you could easily achieve this yourself with the help of the features mentioned below if you so desired.
Dojo 1.7 will have the
dojo/json
module, which uses the browser's nativeJSON.parse
if available, otherwise falls back to a version which can be told to do a sanity check (at a performance cost).http://bugs.dojotoolkit.org/browser/dojo/trunk/json.js
Even in Dojo 1.6, if security is a concern,
dojox.secure.fromJson
can be used.It's my understanding that JSON will be treated strictly by default in 2.0.