JSON is particularly easy to use in web applications because JSON is JavaScript. A
JSON text can be turned into a useful data structure with the eval
function:
var myData = eval('(' + myJSONText + ')'),
(The concatenation of the parentheses around the JSON text is a workaround for an ambiguity in JavaScript's grammar.)
The eval
function has horrendous security
problems, however. Is it safe to use eval
to
parse a JSON text? Currently, the best technique for obtaining data from a server in
a web browser is through XMLHttpRequest
. XMLHttpRequest
can obtain data only from the same
server that produced the HTML. eval
ing text from
that server is no less secure than the original HTML. But, that assumes the server
is malicious. What if the server is simply incompetent?
An incompetent server might not do the JSON encoding correctly. If it builds JSON texts by slapping together some strings rather than using a proper JSON encoder, then it could unintentionally send dangerous material. If it acts as a proxy and simply passes JSON text through without determining whether it is well formed, then it could send dangerous material again.
The danger can be avoided by using the JSON.parse
method instead of eval
(see http://www.JSON.org/json2.js). JSON.parse
will throw an exception if the text contains anything
dangerous. It is recommended that you always use JSON.parse
instead of eval
to
defend against server incompetence. It is also good practice for the day when the
browser provides safe data access to other servers.
There is another danger in the interaction between external data and innerHTML
. A common Ajax pattern is for the server to
send an HTML text fragment that gets assigned to the innerHTML
property of an HTML element. This is a very bad practice.
If the HTML text contains a <script>
tag or
its equivalent, then an evil script will run. This again could be due to server
incompetence.
What specifically is the danger? If an evil script gets to run on your page, it gets access to all of the state and capabilities of the page. It can interact with your server, and your server will not be able to distinguish the evil requests from legitimate requests. The evil script has access to the global object, which gives it access to all of the data in the application except for variables hidden in closures. It has access to the document object, which gives it access to everything that the user sees. It also gives the evil script the capability to dialog with the user. The browser's location bar and all of the anti-phishing chrome will tell the user that the dialog should be trusted. The document object also gives the evil script access to the network, allowing it to load more evil scripts, or to probe for sites within your firewall, or to send the secrets it has learned to any server in the world.
This danger is a direct consequence of JavaScript's global object, which is far
and away the worst part of JavaScript's many bad parts. These dangers are not caused
by Ajax or JSON or XMLHttpRequest
or Web 2.0
(whatever that is). These dangers have been in the browser since the introduction of
JavaScript, and will remain until JavaScript is replaced or repaired. Be
careful.
3.145.15.1