{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Bombasti 的问题《Increase security by creating un-eval-uatable (“un》','https://www.manongdao.com/q-589463.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
we are looking at using the unparseable curft approach to our json as an extra level of security.
In looking at the approaches, I've come across google's while(1); and facebook's for(;;); and then another mention of {}&&
I've seen comments surrounding the while(1); that say the 1 being numeric can get clobbered, so my approach was going to be the for(;;);.
Then I came across the {}&&, which renders the json as invalid yet it can still be parsed/eval'ed. See this article for reference: http://www.sitepen.com/blog/2008/09/25/security-in-ajax/
What are your approaches? and what do your functions look like for making the ajax call with the unparseable curft?
I just always use a root object. As noted:
Note that having a root primitive (e.g. your response is just
5) is not valid JSON. Section 2 of the RFC says:This isn't much of a burden, as I (and many sites) typically use an envelope format. E.g.:
or:
etc.
In that case, any array would just be the value of data, so you can serve syntactically valid JSON without any hijacking risk.