It's not about eval()
Let say I have #password input, and I send this data as a part of JSON object
var toSend = {
text: 'hello',
pass: $("#password").val()
};
Do I need to validate input?
Would ", you: "are hacked" be interpreted on another side of munication as single string or empty string and another property?
edit: Nothing would happen in browser environment, but if JSON would be sent over internet as plain text and parsed again?
It's not about eval()
Let say I have #password input, and I send this data as a part of JSON object
var toSend = {
text: 'hello',
pass: $("#password").val()
};
Do I need to validate input?
Would ", you: "are hacked" be interpreted on another side of munication as single string or empty string and another property?
edit: Nothing would happen in browser environment, but if JSON would be sent over internet as plain text and parsed again?
Share Improve this question edited Oct 18, 2012 at 20:24 h3xStream 6,6412 gold badges50 silver badges58 bronze badges asked Feb 25, 2012 at 21:46 VillerViller 5305 silver badges19 bronze badges 3- 1 All user submitted data is evil and must be cleansed. – Michael Robinson Commented Feb 25, 2012 at 21:48
- @MichaelRobinson: Not in this case. Parser does it automatically – Martin. Commented Feb 25, 2012 at 21:51
- never trust user input, no matter how secure the defaults are. that's one rule when dealing with these things. always be cautious. – Joseph Commented Feb 25, 2012 at 21:55
1 Answer
Reset to default 7If you would do the thing you're describing, nothing would happen, as json is being escaped (if you're using parser (JS object -> JSON))
Nothing would happen in browser environment, but if JSON would be sent over internet as plain text and parsed again?
If you're parsing string version (JSON) to JS object, all values are unesecaped, so you have to escape them afterwards.