Opened 13 years ago
Closed 12 years ago
#1656 closed enhancement (wontfix)
Add 'secure' version of eval()
| Reported by: | Owned by: | alex | |
|---|---|---|---|
| Priority: | high | Milestone: | 0.9 |
| Component: | Core | Version: | 0.3 |
| Keywords: | eval secure json | Cc: | |
| Blocked By: | Blocking: |
Description
The reason for this request is that eval() is seen as a security risk by many of my clients, especially where you cannot be sure the client server link is secure. Currently, we escape all Json before eval() but it would be great is dojo supported this in core.
Change requests: 1) additional function in dojo.json e.g. 'escapedEvalJson': This would basically escape the Json string before performing eval(). This prevents the possibility of malicious script injection as functions do not get evaluated. See: http://www.json.org/js.html for the reference implementation.
2a) additional parameter in dojo.io.bind if using text/json as the mimetype: param of 'safeEval: true' or similar to specify that the 'dojo.json.escapedEvalJson' should be used rather than dojo.json.evalJson
OR
2b) 'dj_safeEval: true' global setting that always calls 'dojo.json.escapedEvalJson' whenever eval() is required.
Change History (3)
comment:1 Changed 13 years ago by
| Milestone: | → 0.5 |
|---|
comment:2 Changed 12 years ago by
| Owner: | changed from anonymous to alex |
|---|
comment:3 Changed 12 years ago by
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
until we get native support for safe JSON decoding from the browsers, the performance impact is just too great to accept this. We support (and encourage) comment-filtered JSON output from servers, but the fundamental responsiblity to ensure that things are correctly escaped lies with the server.