Rails spinoffs - Apr 2007 - Use of X-JSON header for auto-JSON evaluation

Is there a reason that when evaluating the X-JSON header, the Ajax 
classes don''t (a) pass true to the evalJSON() function to make sure
that
the JSON is sanitary?  See Ajax.Request.evalJSON() on line 1141 (1.5.1.rc4).

  -- Dash --



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---

Hey David,

David Dashifen Kees a écrit :
> Is there a reason that when evaluating the X-JSON header, the Ajax 
> classes don''t (a) pass true to the evalJSON() function to make
sure that
> the JSON is sanitary?  See Ajax.Request.evalJSON() on line 1141
(1.5.1.rc4).
The ajax/ branch holds a major overhaul of this, and provides a 
brand-new Ajax.Response object to be used instead of the raw transport 
object currently being passed to callbacks.

It will feature two new sanitizeJSON and evalJSON options, which will 
deal with both the X-JSON header and JSON-typed response texts.

It''s still subject to debate and polish within Core, but expect it for 
1.5.2.

-- 
Christophe Porteneuve aka TDD
tdd-x+CfDp/qHev2eFz/2MeuCQ@public.gmane.org

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---

Awesome :)
 - Dash -

Christophe Porteneuve wrote:
> Hey David,
>
> David Dashifen Kees a écrit :
>   
>> Is there a reason that when evaluating the X-JSON header, the Ajax 
>> classes don''t (a) pass true to the evalJSON() function to make
sure that
>> the JSON is sanitary?  See Ajax.Request.evalJSON() on line 1141
(1.5.1.rc4).
>>     
>
> The ajax/ branch holds a major overhaul of this, and provides a 
> brand-new Ajax.Response object to be used instead of the raw transport 
> object currently being passed to callbacks.
>
> It will feature two new sanitizeJSON and evalJSON options, which will 
> deal with both the X-JSON header and JSON-typed response texts.
>
> It''s still subject to debate and polish within Core, but expect it
for
> 1.5.2.
>
>   
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---

On 30 avr, 11:50, Christophe Porteneuve
<t...-x+CfDp/qHev2eFz/2MeuCQ@public.gmane.org>
wrote:
> Hey David,
>
> David Dashifen Kees a écrit :
>
> > Is there a reason that when evaluating the X-JSON header, the Ajax
> > classes don''t (a) pass true to the evalJSON() function to
make sure that
> > the JSON is sanitary?  See Ajax.Request.evalJSON() on line 1141
(1.5.1.rc4).
>
> The ajax/ branch holds a major overhaul of this, and provides a
> brand-new Ajax.Response object to be used instead of the raw transport
> object currently being passed to callbacks.
>
... hmm.. hun ? so, what about back compatibility ? Is this new
response object will be compatible with older versions of Prototype,
or yet another script refactoring is to expect ?



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---

Yanick a écrit :
> ... hmm.. hun ? so, what about back compatibility ? Is this new
> response object will be compatible with older versions of Prototype,
> or yet another script refactoring is to expect ?
It will be entirely backward-compatible: you''ll still get responseText
as always, still get all the methods you used to call on the raw
transport (XHR) object, and still get unsanitized JSON on X-JSON as
default.  But you''ll be able to get much more power out of it.

We never break backward compatibility unless we''re absolutely compelled
to (e.g. major security fix).  And when we do, we provide a deprecation
layer (as you''ll see for upcoming DOM/position refactoring) for ~6
months, so people can adjust at their own pace.

-- 
Christophe Porteneuve a.k.a. TDD
"[They] did not know it was impossible, so they did it." --Mark Twain
Email: tdd-x+CfDp/qHev2eFz/2MeuCQ@public.gmane.org

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---

Can we read about the upcoming changes in Trac or somewhere else?
I read the core google group but haven''t seen much mentioned on there.

Gareth


On 5/1/07, Christophe Porteneuve
<tdd-x+CfDp/qHev2eFz/2MeuCQ@public.gmane.org>
wrote:
>
>
> Yanick a écrit :
> > ... hmm.. hun ? so, what about back compatibility ? Is this new
> > response object will be compatible with older versions of Prototype,
> > or yet another script refactoring is to expect ?
>
> It will be entirely backward-compatible: you''ll still get
responseText
> as always, still get all the methods you used to call on the raw
> transport (XHR) object, and still get unsanitized JSON on X-JSON as
> default.  But you''ll be able to get much more power out of it.
>
> We never break backward compatibility unless we''re absolutely
compelled
> to (e.g. major security fix).  And when we do, we provide a deprecation
> layer (as you''ll see for upcoming DOM/position refactoring) for ~6
> months, so people can adjust at their own pace.
>
> --
> Christophe Porteneuve a.k.a. TDD
> "[They] did not know it was impossible, so they did it." --Mark
Twain
> Email: tdd-x+CfDp/qHev2eFz/2MeuCQ@public.gmane.org
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---

Gareth Evans a écrit :
> Can we read about the upcoming changes in Trac or somewhere else?
> I read the core google group but haven''t seen much mentioned on
there.
Some stuff is discussed internally only, when we essentially work on
"opinionated" parts of the lib.  However, you can certainly monitor
the
Trac''s RSS feed for changesets to Prototype''s branches and
trunk.

-- 
Christophe Porteneuve a.k.a. TDD
"[They] did not know it was impossible, so they did it." --Mark Twain
Email: tdd-x+CfDp/qHev2eFz/2MeuCQ@public.gmane.org

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---