[Catalyst] implementing ajax
J. Shirley
jshirley at gmail.com
Wed Mar 12 23:31:40 GMT 2008
On Wed, Mar 12, 2008 at 6:47 AM, Matt Pitts <mpitts at a3its.com> wrote:
> I'm going to have to be the red-headed stepchild that advocates XML...
>
> The main reason against JSON for me is security. Something that can be
> eval'd is very dangerous and I'm sure we're all aware of the cross-site
> vulnerabilities that take advantage of JSON returned data. The one thing
> that's always mentioned as total failsafe against it is to *not* use
> JSON as your returned data structure.
>
Right... but eval'ing JSON is the same as eval'ing any other code. A bad idea.
Instead, take a look at json.org/json2.js
This handles serialization into JSON without using inappropriate evals.
JSON, like all things, can be done right or wrong. There are pros and
cons to each, but saying JSON is inferior due to security is a
strawman argument.
> As far as parsing the XML, that's why I use ExtJS. I can define a Store
> and use XPath to map Record fields to my XML data - ExtJS does the rest.
> It's a bit like having a Model of my data on the client side.
>
The ExtJS stores are very nice, so is the grid. I like vanilla YUI
for most things, but for a rich UI ExtJS really does well.
-J
--
J. Shirley :: jshirley at gmail.com :: Killing two stones with one bird...
http://www.toeat.com
More information about the Catalyst
mailing list