[Tickets #5307] Re: Upgrade Prototype to 1.5.1_rc3 and make use of CSRF protection
bugs at bugs.horde.org
bugs at bugs.horde.org
Wed May 2 20:27:28 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=5307
-----------------------------------------------------------------------
Ticket | 5307
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | Upgrade Prototype to 1.5.1_rc3 and make use of CSRF protection
Queue | Horde Base
Version | HEAD
Type | Enhancement
State | Feedback
Priority | 2. Medium
Owners |
-----------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2007-05-02 13:27) wrote:
> I'll have to think about that one a bit more myself. Meanwhile, we
> use it in Gollem in a similar style as to IMP/DIMP I believe.
Outputting JSON directly in our javascript includes is no different than
writing some javascript code such as "var a = { b: 1 };". That is JSON,
but you can't tell me we need to run every single object we create through
evalJSON().
I think the question boils down to "how much do we trust any input that we
are outputting via JSON." Obviously, we can exploit all we want if we
ourselves are outputting bad JSON. But if that is happening, we are
either scheming and mischievous people (unlikely) or we need to do a
better job of filtering the data on the PHP side rather than the browser
side.
More information about the bugs
mailing list