Quantcast
Channel: Question and Answer » json
Viewing all articles
Browse latest Browse all 148

Is this a secure way to handle a JSONP response?

$
0
0

I am working on a non-critical script which will be run periodically – it’s really just for the entertainment of the dev team. Because it’s for fun, it does not really matter if it crashes sometimes (i.e.: I don’t mind if upstream changes to the response format occasionally force me to update the script). However, it must be secure to run on my company’s server.

The datasource for this script would be a JSONP response from a foreign server. I know that JSONP is not something I can fully trust to execute directly, since they could change their response to contain arbitrary JavaScript.

The response on the JSON page currently looks like this:

callback(INSERT_JSON_HERE);

If I extract the JSON by using a regex to remove the surrounding callback:

^callback(([^)]*));$

and pass the extracted JSON string to JSON.parse(), will this approach be safe?

Reasoning: I am not executing any code directly from the foreign site. I just take a portion of their response which should contain JSON and pass it to JSON.parse(). If it does not contain JSON, JSON.parse will error out. If they change the callback or use some other code in place of the callback, the regex will not extract anything.


Viewing all articles
Browse latest Browse all 148

Trending Articles