Provide an option "strictJSON"

[lazaridis_com]

(severity "critical", as it affects security)

Provide an config option like "strictJSON" that ensures that the toolkit accepts only valid JSON format.

This could be introduced with a default-value "off" (does not alter behavior), and the same time it's announced the in a later version it will go to default to "on".

A clear text error message could avoid frustration:

"It seems you are not using valid json format. Please refer to ​http://www.json.org/. If you cannot alter the format, you can set the configuration option "strictJSON" to false, in order to accept non-valid JSON data"

Related discussion:

​http://dojo-toolkit.33424.n3.nabble.com/Dojo-usage-of-non-standard-JSON-Format-td2878366.html

[Kenneth G. Franqueiro]

There already are / will be tools available for this, though I suppose not exactly what you're asking for (a global option to flip dojo.fromJson itself to strict) - though you could easily achieve this yourself with the help of the features mentioned below if you so desired.

Dojo 1.7 will have the dojo/json module, which uses the browser's native JSON.parse if available, otherwise falls back to a version which can be told to do a sanity check (at a performance cost).

​http://bugs.dojotoolkit.org/browser/dojo/trunk/json.js

Even in Dojo 1.6, if security is a concern, dojox.secure.fromJson can be used.

It's my understanding that JSON will be treated strictly by default in 2.0.

[lazaridis_com]

related #12872

[bill]

Yah, I think we can close this since it's supported with the dojo/json module, and before that with dojox.secure.fromJson.

[lazaridis_com]

So is this a "wontfix" or is this a "worksforme" in 2.0 ;

I mean, does dojo now treat JSON strictly (as it should, because otherwise it's a bug)?

Please clarify, and correct the "wontfix" (or reopen the ticket).

[bill]

does dojo now treat JSON strictly?

Your question is rather vague. As I said, dojo/json treats JSON strictly.

[lazaridis_com]

nothing missleading at all, just switch out to a user context:

was: dojo allowed non-standard JSON

is: ?

If solved, then the issue is fixed, and thus the wontfix resolution is wrong and misleading.

[bill]

Dojo is composed of many classes and methods. The newer methods demand strict JSON whereas the older code does not.

[lazaridis_com]

Replying to bill:

Dojo is composed of many classes and methods. The newer methods demand strict JSON whereas the older code does not.

Ok, this means that this issue is fixed (strict JSON is need by default in new version).

You should reopen the issue an close it as fixed to avoid missunderstandings.

[bill]

I don't think so. The title of this ticket is ' Provide an option "strictJSON" '. There was no such option added. The description of this ticket is "Provide an config option like "strictJSON" that ensures that the toolkit accepts only valid JSON format.". That was not done. I am leaving this as "wontfix", to prevent misunderstandings.

[lazaridis_com]

So there's no switch/setting to set dojo to accept the non-standard format (backward compatibility)? If there is one, the the ticket is fixed.

If not, then the ticket should be closed as worksforme (as there is another way to solve the issue)

[bill]

There's no switch/setting to set dojo to accept the non-standard format (backward compatibility). dojo/json.js, when used directly, has a similar switch, but it only affects old browsers without the builtin JSON object.

We use "worksforme" to indicate that we could not reproduce the problem, not that there is another way to solve the issue.

[lazaridis_com]

ok