0

I've been reading about Preventing the Execution of Unauthorized Script in JSON, and i want to use this practice.

The problem is that i don't know how can i do this.

My json result is like this

return Json(new { elements = elements }, JsonRequestBehavior.AllowGet);

I tryied

return Json(new { "while(1);", elements = elements }, JsonRequestBehavior.AllowGet);

and it doesn't work.

How can i do this?

Duncan McGregor
  • 16,107
  • 10
  • 56
  • 106
Catalin
  • 10,580
  • 15
  • 68
  • 134

1 Answers1

0

That's a good way to make your JSON invalid. You should instead focus on how you are parsing your JSON data. If you don't use eval to begin with, this won't be an issue. Invest in learning to use a framework such a jQuery. I believe jQuery avoids using eval altogether, meaning that it is safe for use even when malicious users attempt to inject scripts.

I would be quite surprised if GMail actually uses that technique to this day.

That being said, you are looking for either eval or JSON.Parse.

Zenexer
  • 16,313
  • 6
  • 62
  • 72
  • I am using jquery to parse the json object, and I am not using eval() to parse it. I've seen that Google and Facebook still does this (FB does for(;;)), which i think they have the're reasons. The problem was not how to parse the json object, but how to insert that small javascript function before the json object (from server-side) – Catalin Feb 08 '12 at 09:12
  • for(;;) is the same as while(1)--actually, it's theoretically more efficient. My answer to you is that you are corrupting your JSON, and jQuery is perfectly secure. Both of those sites might rely on eval in older browsers, thus the need for those catches. You're essentially buying a deadbolt for your door when you don't have a door to begin with. – Zenexer Feb 08 '12 at 09:15
  • Ok, i understand. But if somebody remotely will access the Action will make a difference that i am using jquery on my website? [link](http://stackoverflow.com/questions/2669690/why-does-google-append-while1-in-front-of-their-json-responses) – Catalin Feb 08 '12 at 09:21
  • If somebody remotely accesses the jQuery, it's their problem, and their responsibility to make a secure application. – Zenexer Feb 08 '12 at 09:27