New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can.Model.findAll promotes usage of XSS attack vector #186

Closed
jeffrose opened this Issue Nov 30, 2012 · 3 comments

Comments

Projects
None yet
3 participants
@jeffrose

Model.find() assumes that the related service will return an object.

{ "name": "do the dishes" }

Model.findAll() assumes that the related service will return an array of objects, where each object is a model.

[ { "name": "do the dishes" }, { "name": "pick up milk" } ]

Returning an array as the root entity of a JSON service opens that service up to a XSS attack.

http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

The fix is to wrap the array in an object.

{ "data": [ { "name": "do the dishes" }, { "name": "pick up milk" } ] }
@daffl

This comment has been minimized.

Show comment
Hide comment
@daffl

daffl Nov 30, 2012

Contributor

The can.Model.models converter already does this: https://github.com/bitovi/canjs/blob/master/model/model.js#L734

If you would like it mentioned in the documentation you can submit a pull request with the updated documentation.

Contributor

daffl commented Nov 30, 2012

The can.Model.models converter already does this: https://github.com/bitovi/canjs/blob/master/model/model.js#L734

If you would like it mentioned in the documentation you can submit a pull request with the updated documentation.

@daffl daffl closed this Nov 30, 2012

@justinbmeyer justinbmeyer reopened this Nov 30, 2012

@justinbmeyer

This comment has been minimized.

Show comment
Hide comment
@justinbmeyer

justinbmeyer Nov 30, 2012

Contributor

Reopened b/c we should update our docs to show this as the standard way of sending data. We shouldn't show a vulnerability.

Contributor

justinbmeyer commented Nov 30, 2012

Reopened b/c we should update our docs to show this as the standard way of sending data. We shouldn't show a vulnerability.

@justinbmeyer

This comment has been minimized.

Show comment
Hide comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment