Adds protection against a JSON vulnerability.

martini-contrib / render

Martini middleware/handler for easily rendering serialized JSON, XML, and HTML template responses.

MIT License

245 stars 57 forks source link

Adds protection against a JSON vulnerability. #23

Closed tamasd closed 10 years ago

tamasd commented 10 years ago

An attacker can turn a JSON endpoint's answer into a JSONP callback, by overriding the Array constructor. Adding a prefix to a JSON response, which makes response syntactically invalid, fixes this issue.

More information on this issue: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

codegangsta commented 10 years ago

This LGTM. Thanks for the contribution