We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Model.find() assumes that the related service will return an object.
Model.find()
{ "name": "do the dishes" }
Model.findAll() assumes that the related service will return an array of objects, where each object is a model.
Model.findAll()
[ { "name": "do the dishes" }, { "name": "pick up milk" } ]
Returning an array as the root entity of a JSON service opens that service up to a XSS attack.
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
The fix is to wrap the array in an object.
{ "data": [ { "name": "do the dishes" }, { "name": "pick up milk" } ] }
The text was updated successfully, but these errors were encountered:
The can.Model.models converter already does this: https://github.com/bitovi/canjs/blob/master/model/model.js#L734
can.Model.models
If you would like it mentioned in the documentation you can submit a pull request with the updated documentation.
Sorry, something went wrong.
Reopened b/c we should update our docs to show this as the standard way of sending data. We shouldn't show a vulnerability.
http://canjs.us/#can_model-findall
No branches or pull requests
Model.find()
assumes that the related service will return an object.Model.findAll()
assumes that the related service will return an array of objects, where each object is a model.Returning an array as the root entity of a JSON service opens that service up to a XSS attack.
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
The fix is to wrap the array in an object.
The text was updated successfully, but these errors were encountered: