Ticket #988 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

Javascript security warning on annotation display

Reported by: ronald Assigned to: jkirton
Priority: unassigned Milestone:
Component: topaz Version: 0.9-rc1
Keywords: Cc:
Blocking: Blocked By:

Description

http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0000919 either annotation. Using ff 2.0 I see the following warning:

Consider using mimetype:text/json-comment-filtered to avoid potential security issues with JSON endpoints (use djConfig.usePlainJson=true to turn off this message) dojo.js (line 20)

Dependency Graph

Change History

07/23/08 15:57:51 changed by jkirton

  • status changed from new to assigned.

Yes - the remedy is to upgrade the JSONPlugin (http://cwiki.apache.org/S2PLUGINS/json-plugin.html) which will allow for the property: 'wrapWithComments' to be enabled. Then in dojo-land, we replace all occurrences of 'handleAs:'json' with 'handleAs:'json='json-comment-filtered'. Not to hard..

07/31/08 13:58:11 changed by jkirton

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [6274]) fixes #988

Eliminated json security warning raised by dojo by wrapping all json data inside of a comment. This eliminates certain data hijacking threats (http://cwiki.apache.org/S2PLUGINS/json-plugin.html)

The webapp's JSONPlugin dependency was updated to the latest version (0.14 -> 0.30) in order to support comment wrapped JSON data. This version also has a few other bug fixes.

**NOTE: JSONPlugin v0.30 (jsonplugin-0.30.jar) is not yet in the main maven repo so it needs to be added to the gandalf maven repo manually.**