Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#12871 closed enhancement (wontfix)

Provide an option "strictJSON"

Reported by: lazaridis_com Owned by:
Priority: high Milestone: tbd
Component: Core Version:
Keywords: Cc:
Blocked By: Blocking:

Description

(severity "critical", as it affects security)

Provide an config option like "strictJSON" that ensures that the toolkit accepts only valid JSON format.

This could be introduced with a default-value "off" (does not alter behavior), and the same time it's announced the in a later version it will go to default to "on".

A clear text error message could avoid frustration:

"It seems you are not using valid json format. Please refer to http://www.json.org/. If you cannot alter the format, you can set the configuration option "strictJSON" to false, in order to accept non-valid JSON data"

Related discussion:

http://dojo-toolkit.33424.n3.nabble.com/Dojo-usage-of-non-standard-JSON-Format-td2878366.html

Change History (12)

comment:1 Changed 8 years ago by Kenneth G. Franqueiro

Component: DataCore
Owner: Jared Jurkiewicz deleted
severity: criticalnormal

There already are / will be tools available for this, though I suppose not exactly what you're asking for (a global option to flip dojo.fromJson itself to strict) - though you could easily achieve this yourself with the help of the features mentioned below if you so desired.

Dojo 1.7 will have the dojo/json module, which uses the browser's native JSON.parse if available, otherwise falls back to a version which can be told to do a sanity check (at a performance cost).

http://bugs.dojotoolkit.org/browser/dojo/trunk/json.js

Even in Dojo 1.6, if security is a concern, dojox.secure.fromJson can be used.

It's my understanding that JSON will be treated strictly by default in 2.0.

comment:2 Changed 8 years ago by lazaridis_com

related #12872

comment:3 Changed 7 years ago by bill

Resolution: wontfix
Status: newclosed

Yah, I think we can close this since it's supported with the dojo/json module, and before that with dojox.secure.fromJson.

comment:4 Changed 7 years ago by lazaridis_com

So is this a "wontfix" or is this a "worksforme" in 2.0 ;

I mean, does dojo now treat JSON strictly (as it should, because otherwise it's a bug)?

Please clarify, and correct the "wontfix" (or reopen the ticket).

comment:5 Changed 7 years ago by bill

does dojo now treat JSON strictly?

Your question is rather vague. As I said, dojo/json treats JSON strictly.

comment:6 Changed 7 years ago by lazaridis_com

nothing missleading at all, just switch out to a user context:

was: dojo allowed non-standard JSON

is: ?

If solved, then the issue is fixed, and thus the wontfix resolution is wrong and misleading.

comment:7 Changed 7 years ago by bill

Dojo is composed of many classes and methods. The newer methods demand strict JSON whereas the older code does not.

comment:8 in reply to:  7 Changed 7 years ago by lazaridis_com

Replying to bill:

Dojo is composed of many classes and methods. The newer methods demand strict JSON whereas the older code does not.

Ok, this means that this issue is fixed (strict JSON is need by default in new version).

You should reopen the issue an close it as fixed to avoid missunderstandings.

comment:9 Changed 7 years ago by bill

I don't think so. The title of this ticket is ' Provide an option "strictJSON" '. There was no such option added. The description of this ticket is "Provide an config option like "strictJSON" that ensures that the toolkit accepts only valid JSON format.". That was not done. I am leaving this as "wontfix", to prevent misunderstandings.

comment:10 Changed 7 years ago by lazaridis_com

So there's no switch/setting to set dojo to accept the non-standard format (backward compatibility)? If there is one, the the ticket is fixed.

If not, then the ticket should be closed as worksforme (as there is another way to solve the issue)

comment:11 Changed 7 years ago by bill

There's no switch/setting to set dojo to accept the non-standard format (backward compatibility). dojo/json.js, when used directly, has a similar switch, but it only affects old browsers without the builtin JSON object.

We use "worksforme" to indicate that we could not reproduce the problem, not that there is another way to solve the issue.

comment:12 Changed 7 years ago by lazaridis_com

ok

Note: See TracTickets for help on using tickets.