[nycphp-talk] PHP to ajax variable passing problem
csnyder
chsnyder at gmail.com
Fri Aug 10 14:57:42 EDT 2007
On 8/9/07, Dell Sala <dell at sala.ca> wrote:
>
> json.org provides a json decoder for javascript. I've always used
> this instead of eval. This will only parse the json subset, and will
> fail for other arbitrary javascript.
>
> http://www.json.org/js.html
> http://www.json.org/json.js
>
That script makes it _much_ safer to parse untrusted json, and if
there was any way to exploit it at all, someone would have found it by
now.... but it still uses eval().
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list