Forum

November 2nd, 2014
A A A
Avatar
sp_LogInOut Log In

Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
The forums are currently locked and only available for read only access
This topic is locked No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
jQgrid does JSON-parsing via "eval"
14/09/2009
10:22
Avatar
ghum
Member
Members
Forum Posts: 11
Member Since:
17/05/2009
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

within grid.base.js, there is:

parse : function(jsonString) {
        var js = jsonString;
        if (js.substr(0,9) == "while(1);") { js = js.substr(9); }
        if (js.substr(0,2) == "/*") { js = js.substr(2,js.length-4); }
        if(!js) { js = "{}"; }
        with(window) {
            return  eval('('+js+')');
        }
    },

using eval() poses quite some hacking potential; and better browser nowadays have included an ultra-opimized JSON-parser with the global JSON object. An easy substitute is to:

a) include

http://www.json.org/json2.js

(public domain code)

b) replace that lines with
    parse : function(jsonString) {
        return JSON.parse(jsonString);
    },

json2.js makes sure that the native browser JSON-parser gets used if available, and otherwise is better protected against injection of malicous code.

Harald

14/09/2009
22:35
Avatar
tony
Sofia, Bulgaria
Moderator
Members

Moderators
Forum Posts: 7721
Member Since:
30/10/2007
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
2sp_Permalink sp_Print

Hello,

Thanks. Why do you think that this is a bug?

Also do the following - after you load the jqGrid JS files include in your load the ultra-opimized JSON-parser and do the following

<script>

$.extend($.jgrid, {

    parse : function(jsonString) {
        return JSON.parse(jsonString);
    }

})

</script>

This will overwrite the jqGrid parse function.

Regards

Tony

For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.

15/09/2009
06:40
Avatar
ghum
Member
Members
Forum Posts: 11
Member Since:
17/05/2009
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

Tony,

> Thanks. Why do you think that this is a bug?

"bug" may be a hard word 🙂 But there is no forum for "potential security risks" ....

It may be an unecessary security risk - as eval() may have side effects. (probably the reason for the "protect against while(1) at the beginning)

Mozilla took its time to implement the global JSON-object for a reason - as eval() has to take more care then "unserialize an object". I did not time it, but would bet that on recent browser native JSON.parse is faster then eval()

Thanks for that .extend - that can help me in other situations, too!

best wishes

Harald

This topic is locked No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Sofia

Most Users Ever Online: 715

Currently Online:
74 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

OlegK: 1255

markw65: 179

kobruleht: 144

phicarre: 132

YamilBracho: 124

Renso: 118

Member Stats:

Guest Posters: 447

Members: 11373

Moderators: 2

Admins: 1

Forum Stats:

Groups: 1

Forums: 8

Topics: 10592

Posts: 31289

Newest Members:

, razia, Prankie, psky, praveen neelam, greg.valainis@pa-tech.com

Moderators: tony: 7721, Rumen[Trirand]: 81

Administrators: admin: 66

Comments are closed.
Privacy Policy   Terms and Conditions   Contact Information