Improve security by creating un-eval-uatable ("unparsable cruft") JSON?

Question

Improve security by creating un-eval-uatable ("unparsable cruft") JSON?

we see our unsurpassed approach to our json as an extra layer of security.

When looking at the approaches, I came across google while(1);and facebook for(;;); and then another mention of{}&&

I saw the comments surrounding while(1);that say that the number 1 can be knocked down, so my approach will be for(;;);.

Then I came across {}&&what makes json invalid, but it can still be parsed / eval 'ed. See this article for reference: http://www.sitepen.com/blog/2008/09/25/security-in-ajax/

What are your approaches? and what do your functions look like in order to make an ajax call with an unsurpassed case?

+3

json security parsing taint

Jason Apr 25 '12 at 23:13

source share

1 answer

Matthew Flaschen · Accepted Answer · 2012-04-25T23:19:23+0000

I always use the root object. As noted:

You can only capture JSON data using the root, which is an array. When a root is primitive, primitive values do not invoke the constructor. When the root is an object, it has invalid JavaScript syntax and therefore cannot be parsed.

Note that having a root primitive (e.g. your answer is simple 5) is not valid JSON. Section 2 of the RFC says:

JSON text is a serialized object or array.
  JSON-text = object / array

This is not a big load, as I (and many sites) usually use the envelope format. For instance:.

{
  "header": {...},
  "data": {...}
}

or

{
  "status": {...},
  "data": {...}
}

and etc.

, JSON .

Improve security by creating un-eval-uatable ("unparsable cruft") JSON?

More articles: