Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provide a feature to protect against remote "script src" inclusion of Gson output #42

Closed
GoogleCodeExporter opened this issue Mar 19, 2015 · 7 comments
Closed

provide a feature to protect against remote "script src" inclusion of Gson output #42

GoogleCodeExporter opened this issue Mar 19, 2015 · 7 comments
Labels
auto-migrated Milestone-Release1.3 Priority-Medium Type-Enhancement

Comments

@GoogleCodeExporter
Copy link 

would it be possible to provide a feature which would prepend a string
(e.g. "while(1);") in front of the JSON output on the server-side and have
client-side library remove that string before deserializing, to prevent 3rd
party sites from <script src'ing the output.

Original issue reported on code.google.com by mede...@gmail.com on 8 Sep 2008 at 6:46
@GoogleCodeExporter
Copy link
Author 

it would be great to have some central way of enabling it for all GSON objects 
in a
given app

Original comment by mede...@gmail.com on 8 Sep 2008 at 6:53

@GoogleCodeExporter
Copy link
Author 

instead of while(1); can we use the following prefix:
)]}'
<data>

please notice the newline character after '

thanks!

Original comment by mede...@gmail.com on 10 Sep 2008 at 8:25

@GoogleCodeExporter
Copy link
Author 

This is a great feature request.  Thanks for the suggestion.

I have added this to our roadmap for version 1.2.1 which is slotted for early 
October.

Original comment by joel.leitch@gmail.com on 14 Sep 2008 at 7:39

  • Changed state: Accepted

@GoogleCodeExporter
Copy link
Author 

Hi Joel, i was wondering what's the status with this?

Original comment by mede...@gmail.com on 17 Mar 2009 at 9:26

@GoogleCodeExporter
Copy link
Author 

Fixed in r397 by supporting a new GsonBuilder setting 
generateNonExecutableJson()
that prefixes the generated JSON with some )]}'\n<data> to make the output
non-executable javascript. Gson now recognizes this special text in the input 
while
parsing the JSON in fromJson and filters it out, if present.

Original comment by inder123 on 17 Mar 2009 at 9:15

  • Changed state: Fixed

@GoogleCodeExporter
Copy link
Author

Original comment by inder123 on 27 Mar 2009 at 7:41

  • Added labels: Milestone-Release1.3

@GoogleCodeExporter
Copy link
Author 

Is there a reason the NON_EXECUTABLE_PREFIX wasn't made configurable? I just 
submitted a request for it to be made configurable. 
https://code.google.com/p/google-gson/issues/detail?id=551

Original comment by heath.bo...@gmail.com on 17 Dec 2013 at 11:03

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Milestone-Release1.3 Priority-Medium Type-Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter