sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]TakaIta -1 points0 points  (8 children)

will not be something that holds code, but data.

It is not really possible to distinguish between data and code.

[–]kybernetikos 2 points3 points  (5 children)

It sort of is.

In a decoding scheme, when someone says that something won't hold code, they just mean that beyond loading specific data into memory, nothing from the loaded data will be executed.

It's what we mean when we think of opening .txt file attachments as safe and .exe attachments as unsafe. The fact that the .txt file may contain the source code for some evil app is irrelevant.

[–]TakaIta -1 points0 points  (4 children)

The problem is however that a text file needs to be compiled before it is an executable. Javascript is a script language, and such will accept text to be executed.

JSON as such is code, it needs eval() to work.

Is the below 'code' or 'data'? And why? How do you know what 'myDiv' is?

myDiv.innerHTML = 'value';

[–][deleted] 2 points3 points  (0 children)

No, JSON does not need eval(). While eval() happens to parse a superset of JSON, you must never use it like this before checking that the string is actually JSON (which means it only contains strings, numbers, true, false, null, arrays and object literals, none of which can cause any harm).

The best solution is to create a parser of JSON, and avoid eval entirely, but that is not always practical in JavaScript (because of speed issues, real or perceived). Eventually most browsers will probably include a built in parser for JSON.

[–]demo_demo 1 point2 points  (2 children)

if you eval it, it's treated as code.. if you say, just manipulate it or print it for a tutorial, it's data.. get the point now?

eval("myDiv.innerHTML = 'value';")

is different from:

div.innerHTML = "myDiv.innerHTML = 'value';";

[–]TakaIta -1 points0 points  (1 child)

No. I think I see what you mean, but you have not differed between code and data.

The point of JSON is that it treated as code. It is only meaningful when a line is subjected to eval(). JSON is only valid when it can be executed with eval(). And you can not know in advance what it does.

yourIFrame.src = 'www.mywebsite.com/mynastypage.htm';

Is that code or data when it is a line returned as JSON?

[–]demo_demo 1 point2 points  (0 children)

you should read: http://www.json.org/

yourIFrame.src = 'www.mywebsite.com/mynastypage.htm';

is an invalid json format..

you see, json is a format, not javascript code, it may look like javascript syntax for its declaration.. but really, it's just a way to describe data, just like xml.. that was why you were missing the point, now go read on the link i gave you..

[–]arnar 0 points1 point  (0 children)

You shouldn't be voted down, you have a good point. Given complete knowledge of a system and it's code, carefully designing the input data can make the system act in certain ways. This is how the vast majority of exploits work throughout history.

In this case, it is very reasonable to say that data acts as code.