Opened 15 years ago

Closed 14 years ago

#1656 closed enhancement (wontfix)

Add 'secure' version of eval()

Reported by: [email protected] Owned by: alex
Priority: high Milestone: 0.9
Component: Core Version: 0.3
Keywords: eval secure json Cc:
Blocked By: Blocking:


The reason for this request is that eval() is seen as a security risk by many of my clients, especially where you cannot be sure the client server link is secure. Currently, we escape all Json before eval() but it would be great is dojo supported this in core.

Change requests: 1) additional function in dojo.json e.g. 'escapedEvalJson': This would basically escape the Json string before performing eval(). This prevents the possibility of malicious script injection as functions do not get evaluated. See: for the reference implementation.

2a) additional parameter in if using text/json as the mimetype: param of 'safeEval: true' or similar to specify that the 'dojo.json.escapedEvalJson' should be used rather than dojo.json.evalJson


2b) 'dj_safeEval: true' global setting that always calls 'dojo.json.escapedEvalJson' whenever eval() is required.

Change History (3)

comment:1 Changed 15 years ago by dylan

Milestone: 0.5

comment:2 Changed 15 years ago by Adam Peller

Owner: changed from anonymous to alex

comment:3 Changed 14 years ago by alex

Resolution: wontfix
Status: newclosed

until we get native support for safe JSON decoding from the browsers, the performance impact is just too great to accept this. We support (and encourage) comment-filtered JSON output from servers, but the fundamental responsiblity to ensure that things are correctly escaped lies with the server.

Note: See TracTickets for help on using tickets.