Opened 13 years ago

Closed 12 years ago

#1656 closed enhancement (wontfix)

Add 'secure' version of eval()

Reported by: rishson@… Owned by: alex
Priority: high Milestone: 0.9
Component: Core Version: 0.3
Keywords: eval secure json Cc:
Blocked By: Blocking:

Description

The reason for this request is that eval() is seen as a security risk by many of my clients, especially where you cannot be sure the client server link is secure. Currently, we escape all Json before eval() but it would be great is dojo supported this in core.

Change requests: 1) additional function in dojo.json e.g. 'escapedEvalJson': This would basically escape the Json string before performing eval(). This prevents the possibility of malicious script injection as functions do not get evaluated. See: http://www.json.org/js.html for the reference implementation.

2a) additional parameter in dojo.io.bind if using text/json as the mimetype: param of 'safeEval: true' or similar to specify that the 'dojo.json.escapedEvalJson' should be used rather than dojo.json.evalJson

OR

2b) 'dj_safeEval: true' global setting that always calls 'dojo.json.escapedEvalJson' whenever eval() is required.

Change History (3)

comment:1 Changed 13 years ago by dylan

Milestone: 0.5

comment:2 Changed 12 years ago by Adam Peller

Owner: changed from anonymous to alex

comment:3 Changed 12 years ago by alex

Resolution: wontfix
Status: newclosed

until we get native support for safe JSON decoding from the browsers, the performance impact is just too great to accept this. We support (and encourage) comment-filtered JSON output from servers, but the fundamental responsiblity to ensure that things are correctly escaped lies with the server.

Note: See TracTickets for help on using tickets.