can.Model.findAll promotes usage of XSS attack vector #186

jeffrose · 2012-11-30T15:08:10Z

Model.find() assumes that the related service will return an object.

{ "name": "do the dishes" }

Model.findAll() assumes that the related service will return an array of objects, where each object is a model.

[ { "name": "do the dishes" }, { "name": "pick up milk" } ]

Returning an array as the root entity of a JSON service opens that service up to a XSS attack.

The fix is to wrap the array in an object.

{ "data": [ { "name": "do the dishes" }, { "name": "pick up milk" } ] }

The text was updated successfully, but these errors were encountered:

daffl · 2012-11-30T17:23:38Z

If you would like it mentioned in the documentation you can submit a pull request with the updated documentation.

justinbmeyer · 2012-11-30T18:31:07Z

Reopened b/c we should update our docs to show this as the standard way of sending data. We shouldn't show a vulnerability.

justinbmeyer · 2013-03-15T03:12:56Z

daffl closed this as completed Nov 30, 2012

justinbmeyer reopened this Nov 30, 2012

justinbmeyer closed this as completed Mar 15, 2013

Provide feedback