[e-lang] A promise based JSON command shell
Mike Samuel
mikesamuel at gmail.com
Tue Apr 28 14:03:37 EDT 2009
>From http://waterken.sourceforge.net/web_send/
fragment arguments
Sometimes, it is useful to include information in a URL that won't
show up in the HTTP protocol's Referer header, but can be made
available to the server that issued the URL. To support this, the
web_send library can move information in the URL fragment to
the query component of the Request-URI. For example, for the call:
lib.Q.get(drum, 'hits');
target URLref Request-URI
/myApp#s=obj456 /myApp?q=hits&s=obj456
This scheme seems to take fragment parts and merge them into the
namespace of form parameters. So if someone can control a link on the
page and get the user to click it, then they can potentially add query
parameters, allowing them to spoof an enabled checkbox, or radio
button.
Could query parameters derived from the fragment portion be moved into
a namespace less likely to conflict with form data?
Shameless plug follows.
The key components are:
json2.js
JSON encoding and decoding
If you want to avoid using json2's JSON.parse which delegates to eval,
http://code.google.com/p/json-sans-eval/source/browse/trunk/src/json_sans_eval.js
is a fast JSON parser that doesn't use eval under the hood.
cheers,
mike
More information about the e-lang
mailing list