Embedding javascript in JSON and security

Question

Embedding javascript in JSON and security

I have an online service where users can create documents with json support. Then they are saved on the server, and other users can download them. Then json is decoded exactly as it was sent. Are there any security risks if the user clicks on json before sending it and enters arbitrary javascript, which is then executed in the viewers browser? Is it possible? what I need to know if this is possible, or arbitrary javascript execution from a json string is possible.

+5

json javascript security code-injection

penguinrob Jun 22 '11 at 2:54

source share

3 answers

It completely depends on a) whether you clear JSON on the server side and (even more) on b) how you decode JSON on the client side when reloading.

Any code that uses eval()JSON to deserialize Javascript is open specifically for your attack.
Any code that uses JSONP to load JSON (i.e. passing JSON as a Javascript literal for the specified callback function) is open to the attack you describe (it is actually the same as when using it eval()).
JSON- (, json2.js, jQuery $.parseJSON JSON.parse() , ) JSON, JSON. , JSON, .
, JSON , , . , , JSON (, json.loads(user_submitted_json) Python ).

, , , .

+9

nrabinowitz 22 . '11 3:02

<plug shameless="true">

JSON sans eval , JSON, .

JSON JSON, , eval, - , .
json.org JSON JavaScript. , ( JSON ), , JSON .

</plug>

+5

Mike Samuel 22 . '11 3:24

Paul mcmillan · Accepted Answer · 2011-06-22T02:59:10+0000

JSON is traditionally parsed using a statement eval()that is about as unsafe as possible. If you allow this, your application will be unsafe.

Embedding javascript in JSON and security

More articles: