|
A number of people talked about XML vs. JSON.
JSON can be used to execute JavaScript insertion attacks against any web client that uses it, unless the server (and only the server) takes appropriate precautions.
Eval performs an unescape. This means that any entities contained in the response are parsed, and replaced with the appropriate character references, which are then processed as JavaScript. To defend against this, any entity reference must be encoded a second time, and wrapped with a manual unencode call.
Many JSON libraries do not correctly perform this task, and (worse) many JSON libraries server-side can't handle doubly encoded requests like this. As a result, it is often necessary to modify the JSON library that you are using to obtain the correct behavior.
On the other hand, XML never causes anything to be executed by its mere presence in a request. If you just blindly replace elements on the document with XML coming from a request, there's a danger in that, but there is no danger in the request itself.
Yes JSON reduces the size of an XML document and eases processing document side, however you absolutely must take precautions if you display any user-entered data using JSON, because you are *EXECUTING* the request to process it, and the request *COULD* contain malicious code.
You can't do the encoding client side because there is no way to tell an entity that is a valid part of the request from an entity that could potentially be hostile.
If you need JSON like functionality and XML is too heavy weight, I would suggest the following, more secure, alternative.
Register the types that you want to create with a JavaScript class. Tell it all the potential types that might appear in the request.
Instead of using JSON, just put a name of a class, a brace, the data, then another brace. Then parse this by hand using the registered functions.
This means that only the registered functions can run in response to the request (so no unintended JavaScript code can run), which cuts off the injection aspect, while reducing the payload even more than JSON does.
|
Previous Message
