[Catalyst] implementing ajax

Moritz Onken onken at houseofdesign.de
Wed Mar 12 15:32:32 GMT 2008 

For security reasons you should consider to return json only if the  
request is an xmlhttprequest.
I added

$c->forward( $c->view("JSON") )
	  if ( $c->req->header("X-Requested-With") eq "XMLHttpRequest" );

to my end method. If someone tries to get the json data directly he  
gets an error or an other template.
I don't know if YUI adds this specific header to each json request but  
it should.
This is not enough to make you json data bullet proof, but a good step  
in the right direction. I suggest <http://en.wikipedia.org/wiki/Cross-site_request_forgery 
 > and <http://www.gnucitizen.org/blog/csrf-demystified/> as a lecture.

regards,

moritz


Am 12.03.2008 um 14:47 schrieb Matt Pitts:

> I'm going to have to be the red-headed stepchild that advocates XML...
>
>> -----Original Message-----
>> From: Mesdaq, Ali [mailto:amesdaq at websense.com]
>> Sent: Tuesday, March 11, 2008 5:19 PM
>> To: The elegant MVC web framework
>> Subject: RE: [Catalyst] implementing ajax
>>
>> Jennifer,
>>
>> Are you sure you want to stick with this route? Looks like your going
>> to
>> make a lot of work for yourself. I would hate to see the js code to
>> make
>> xml. Use the js code to just post the values you want read those
> values
>
> I can't speak too much on the generation of XML on the client, but I  
> do
> advocate the use of POST rather than uploading an XML body. Most of  
> the
> popular JS toolkits make this quite easy.
>
>> Why would you want to use JSON? Because javascript can just read it
>> straight in and you can use it without having to parse anything. Your
>> js
>> would just eval the returned json content and use it. If you return
> xml
>> you will need to parse it out and just makes a lot of work.
>
> The main reason against JSON for me is security. Something that can be
> eval'd is very dangerous and I'm sure we're all aware of the cross- 
> site
> vulnerabilities that take advantage of JSON returned data. The one  
> thing
> that's always mentioned as total failsafe against it is to *not* use
> JSON as your returned data structure.
>
> As far as parsing the XML, that's why I use ExtJS. I can define a  
> Store
> and use XPath to map Record fields to my XML data - ExtJS does the  
> rest.
> It's a bit like having a Model of my data on the client side.
>
> Just my 2 cents.
>
> v/r
> -matt pitts
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/

More information about the Catalyst mailing list