[e-lang] A promise based JSON command shell

Mike Samuel mikesamuel at gmail.com
Tue Apr 28 14:03:37 EDT 2009


>From http://waterken.sourceforge.net/web_send/

    fragment arguments

    Sometimes, it is useful to include information in a URL that won't
    show up in the HTTP protocol's Referer header, but can be made
    available to the server that issued the URL. To support this, the
    web_send library can move information in the URL fragment to
    the query component of the Request-URI. For example, for the call:

    lib.Q.get(drum, 'hits');

    target URLref	Request-URI
    /myApp#s=obj456	/myApp?q=hits&s=obj456

This scheme seems to take fragment parts and merge them into the
namespace of form parameters.  So if someone can control a link on the
page and get the user to click it, then they can potentially add query
parameters, allowing them to spoof an enabled checkbox, or radio
button.

Could query parameters derived from the fragment portion be moved into
a namespace less likely to conflict with form data?


Shameless plug follows.

    The key components are:

    json2.js
        JSON encoding and decoding

If you want to avoid using json2's JSON.parse which delegates to eval,
http://code.google.com/p/json-sans-eval/source/browse/trunk/src/json_sans_eval.js
is a fast JSON parser that doesn't use eval under the hood.

cheers,
mike


More information about the e-lang mailing list